This Terraform module will create a VPC VPN Server and attach it to a new or existing PowerVS Workspace. Providing secure access to IBM Cloud Power infrastructure.
This Terraform module deploys the following infrastructure:
- VPC
- VPC Subnet
- VPC Security Groups
- VPC VPN Server
- COS Bucket with OVPN file
- Secrets Manager Certificate
- PowerVS Workspace (Optional)
- Transit Gateway (Optional)
- Cloud Connection w/DirectLink* (Optional)
* Only in locations without Power Edge Routers
This automation includes a data file to determine if a PowerVS location has a Power Edge Router. If the location does not have a Power Edge Router, the automation will create a Cloud Connection and connect it's Direct Link connection to the Transit Gateway to route traffic to the VPC.
When using a PowerVS location where a Cloud Connection is needed, Subnets created in the PowerVS Workspace will need to be connected with the Cloud Connection before traffic will be routed to the Transit Gateway. This can be done during the Subnet creation.
To order and use IBM Cloud services, billing information is required for your account. See Upgrading Your Account.
You will need the following IAM access, or higher, to deploy this VPN
| Service Name (Resource Type) |
Service Access | Platform Access |
|---|---|---|
| VPC Infrastructure Services - Virtual Private Cloud - Subnet - Security Group for VPC - Client VPN for VPC |
Editor | |
| Cloud Object Storage | Writer | |
| Secrets Manager | Writer | |
| Transit Gateway - Transit Gateway |
Manager | Editor |
| Workspace for Power Systems Virtual Server | Manager | Editor |
If you wish to run Terraform locally, see Install Terraform.
You must supply an IBM Cloud API key so that Terraform can connect to the IBM Cloud Terraform provider. See Create API Key.
You must have in your account an IBM Secrets Manager.
This will be used to store the certificate created by this module for use with the VPN Server. The
Secret Manager may be located in any region or any Resource Group. To specify a different Resource
Group than the one used to create resources by this module, set the optional variable
secret_manager_resource_group_name.
You can create the Secrets Manager by visiting IBM Cloud Catalog - Create Secrets Manager.
A privileged user for the account will need to create an authorization policy that will allow the VPC VPN Service access to read secrets in the Secret Manager service(s). The policy should look similar to this:
To create the authorization policy you must specify the Source service as
VPC Infrastructure Services and then choose to scope resources based on attribute by resource type
Client VPN for VPC. The Target service must be set to Secrets Manager. You may choose to limit
the scope (but it is not necessary) by various different attributes, including the exact instance
created in the Secrets Manager Prerequisite step above. Then allow Service
access of SecretsReader.
| Source Service | Target Service |
|---|---|
 |
 |
You must have in your account an IBM Cloud Object Storage
instance. This will be used to store the OpenVPN configuration file created by this module. The COS
Instance may be located in any Resource Group. To specify a different Resource Group than the one
used to create resources by this module, set the optional variable
cos_instance_resource_group_name.
You can create the Object Storage instance by visiting IBM Cloud Catalog - Create Object Storage.
There are a number of variables defined in variables.tf used by this Terraform module to deploy and configure your infrastructure. This section will describe variable behavior. See variables.tf for full list of variables with their descriptions, defaults, and conditions.
If you have problems or questions when using the underlying IBM Cloud infrastructure, you can get help by searching for information or by asking questions through one of the forums. You can also create a case in the IBM Cloud console.
For information about opening an IBM support ticket, see Contacting support.
To report bugs or make feature requests regarding this Terraform module, please create an issue in this repository.
- What is Terraform
- IBM Cloud provider Terraform getting started
- IBM Cloud VPC VPN Server
- IBM Cloud PowerVS
- IBM Power Edge Router
- IBM Cloud Connection
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| ibm | 1.62.0 |
| random | 3.5.1 |
| Name | Version |
|---|---|
| ibm | 1.62.0 |
| random | 3.5.1 |
| Name | Source | Version |
|---|---|---|
| certificate | ./modules/certificate | n/a |
| cloud_connection | ./modules/cloud-connection | n/a |
| cos_upload | ./modules/cos-upload | n/a |
| ovpn | ./modules/ovpn | n/a |
| power | ./modules/power | n/a |
| transit | ./modules/transit | n/a |
| vpc | ./modules/vpc | n/a |
| vpn | ./modules/vpn | n/a |
| Name | Type |
|---|---|
| random_string.resource_identifier | resource |
| ibm_resource_group.cos_instance | data source |
| ibm_resource_group.group | data source |
| ibm_resource_group.secret_manager | data source |
| ibm_resource_instance.power_workspace | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cos_instance_name | The Cloud Object Storage instance name used to create a bucket with OVPN configuration file in. The configuration file is used with OpenVPN Connect to connect your remote machine with the VPN created in IBM Cloud. The COS instance maybe in any Resource Group. By default, the Resource Group specified by the variable resource_group_name will be used to locate the COS instance.However, if the COS instance is in another Resource Group use the optional variable cos_instance_resource_group_name to specify it. |
string |
n/a | yes |
| cos_instance_resource_group_name | Optional variable to specify the Resource Group the Cloud Object Storage instance is in. If not supplied, the value specified for resource_group_name will be used to locate your COS instance. |
string |
"" |
no |
| create_default_vpc_address_prefixes | Optional variable to indicate whether a default address prefix should be created for each zone in this VPC. | bool |
false |
no |
| data_location_file_path | Optional variable to specify Where the file with PER location data is stored. This variable is used for testing, and should not normally need to be altered. |
string |
"./data/locations.yaml" |
no |
| ibmcloud_api_key | The IBM Cloud platform API key needed to deploy IAM enabled resources. | string |
n/a | yes |
| name | The name used for the new Power Workspace, Transit Gateway, and VPC. Other resources created will use this for their basename and be suffixed by a random identifier. |
string |
n/a | yes |
| per_override | Optional variable to force the PowerVS location to be seen as PER enabled by this automation. When set true, this will force the use of PER instead of creating Cloud Connections.Set true when a location has been upgraded to PER before this automation has been made aware.See Getting started with the Power Edge Router for a complete list of PER enabled locations. |
bool |
false |
no |
| power_cloud_connection_speed | Optional variable to specify the speed of the cloud connection (speed in megabits per second). This only applies to locations WITHOUT Power Edge Routers. Supported values are 50, 100, 200, 500, 1000, 2000, 5000, 10000. Default Value is 1000. |
number |
1000 |
no |
| power_workspace_location | The location used to create the power workspace. Available locations are: dal10, dal12, us-south, us-east, wdc06, wdc07, sao01, sao04, tor01, mon01, eu-de-1, eu-de-2, lon04, lon06, syd04, syd05, tok04, osa21, mad02, mad04. Please see PowerVS Locations for a complete list of PowerVS locations. |
string |
n/a | yes |
| power_workspace_name | Optional variable to specify the name of an existing power workspace. If supplied the workspace will be used to connect the VPN with. |
string |
"" |
no |
| resource_group_name | Resource Group to create new resources in (Resource Group name is case sensitive). This will also be used to locate your existing Secrets Manager and Cloud Object Storage instance. If the Secrets Manager or Cloud Object Storage instance is in a different resource group, use the optional variables secret_manager_resource_group_name and cos_instance_resource_group_name, respectively, to specify those. |
string |
n/a | yes |
| secret_manager_name | The Secrets Manager to create the VPN certificate in. The Secrets Manager maybe in any Resource Group or Region. By default, the Resource Group specified by the variable resource_group_name will be used to locate the Secrets Manager.However, if the Secrets Manager is in another Resource Group use the optional variable secret_manager_resource_group_name to specify it. |
string |
n/a | yes |
| secret_manager_resource_group_name | Optional variable to specify the Resource Group the Secret Manager is in. If not supplied, the value specified for resource_group_name will be used to locate your Secrets Manager. |
string |
"" |
no |
| transit_gateway_name | Optional variable to specify the name of an existing transit gateway, if supplied it will be assumed that you've connected your power workspace to it. A connection to the VPC containing the VPN Server will be added, but not for the Power Workspace. Supplying this variable will also suppress Power Workspace creation. |
string |
"" |
no |
| vpn_client_cidr | Optional variable to specify the CIDR for VPN client IP pool space. This is the IP space that will be used by machines connecting with the VPN. You should only need to change this if you have a conflict with your local network. |
string |
"192.168.8.0/22" |
no |
| vpn_subnet_cidr | Optional variable to specify the CIDR for subnet the VPN will be in. You should only need to change this if you have a conflict with your Power Workstation Subnets or with a VPC connected with this solution. |
string |
"10.134.0.0/28" |
no |
| Name | Description |
|---|---|
| bucket_url | URL to bucket containing the OVPN file |