Merge pull request #523 from aztfmod/integration518

Add support for vpn_sites and vpn_gateway_connections #518
aztfmod · Jun 18, 2021 · 717c9e9 · 717c9e9
2 parents b7572e3 + 1d2e83f
commit 717c9e9
Show file tree

Hide file tree

Showing 26 changed files with 488 additions and 7 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -36,7 +36,7 @@
 
     // Add the IDs of extensions you want installed when the container is created in the array below.
     "extensions": [
-        "4ops.terraform",
+        "hashicorp.terraform",
         "mutantdino.resourcemonitor",
         "ms-azure-devops.azure-pipelines",
         "omartawfik.github-actions-vscode"

diff --git a/.github/workflows/master-standalone-tf13.yaml b/.github/workflows/master-standalone-tf13.yaml
@@ -117,6 +117,8 @@ jobs:
             "networking/virtual_wan/104-vwan-hub-gw-spp",
             "networking/virtual_wan/105-vwan-hub-route-table",
             "networking/virtual_wan/106-vwan-hub-routes",
+            "networking/virtual_wan/108-vwan-vpn-site",
+            "networking/virtual_wan/109-vwan-vpn-gateway-connection",
             "postgresql_server/100-simple-postgresql",
             "postgresql_server/101-vnet-rule-postgresql",
             "postgresql_server/102-private-endpoint-postgresql",

diff --git a/.github/workflows/master-standalone-tf14.yaml b/.github/workflows/master-standalone-tf14.yaml
@@ -114,6 +114,8 @@ jobs:
             "networking/virtual_wan/104-vwan-hub-gw-spp",
             "networking/virtual_wan/105-vwan-hub-route-table",
             "networking/virtual_wan/106-vwan-hub-routes",
+            "networking/virtual_wan/108-vwan-vpn-site",
+            "networking/virtual_wan/109-vwan-vpn-gateway-connection",
             "postgresql_server/100-simple-postgresql",
             "postgresql_server/101-vnet-rule-postgresql",
             "postgresql_server/102-private-endpoint-postgresql",

diff --git a/.github/workflows/master-standalone-tf15.yaml b/.github/workflows/master-standalone-tf15.yaml
@@ -121,6 +121,8 @@ jobs:
             "networking/virtual_wan/104-vwan-hub-gw-spp",
             "networking/virtual_wan/105-vwan-hub-route-table",
             "networking/virtual_wan/106-vwan-hub-routes",
+            "networking/virtual_wan/108-vwan-vpn-site",
+            "networking/virtual_wan/109-vwan-vpn-gateway-connection",
             "postgresql_server/100-simple-postgresql",
             "postgresql_server/101-vnet-rule-postgresql",
             "postgresql_server/102-private-endpoint-postgresql",

diff --git a/examples/compute/virtual_machine/106-marketplace-image-with-plan/configuration.tfvars b/examples/compute/virtual_machine/106-marketplace-image-with-plan/configuration.tfvars
@@ -14,7 +14,6 @@ global_settings = {
     }
   }
 
-  prefix = "test"
 }
 
 resource_groups = {

diff --git a/examples/compute/virtual_machine_scale_set/100-linux-win-vmss-lb/configuration.tfvars b/examples/compute/virtual_machine_scale_set/100-linux-win-vmss-lb/configuration.tfvars
@@ -1,6 +1,5 @@
 global_settings = {
   default_region = "region1"
-  prefix         = "example"
   regions = {
     region1 = "southeastasia"
   }

diff --git a/examples/compute/virtual_machine_scale_set/101-linux-win-vmss-agw/configuration.tfvars b/examples/compute/virtual_machine_scale_set/101-linux-win-vmss-agw/configuration.tfvars
@@ -1,6 +1,5 @@
 global_settings = {
   default_region = "region1"
-  prefix         = "example"
   regions = {
     region1 = "southeastasia"
   }

diff --git a/examples/networking/virtual_wan/108-vwan-vpn-site/virtual_wan.tfvars b/examples/networking/virtual_wan/108-vwan-vpn-site/virtual_wan.tfvars
@@ -0,0 +1,64 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "southeastasia"
+  }
+}
+
+resource_groups = {
+  hub_re1 = {
+    name   = "vnet-hub-re1"
+    region = "region1"
+  }
+}
+
+virtual_wans = {
+  vwan_re1 = {
+    resource_group_key = "hub_re1"
+    name               = "contosovWAN-re1"
+    region             = "region1"
+  }
+}
+
+vpn_sites = {
+  vpn-site-1 = {
+    name          = "vpn-site-1"
+    address_cidrs = ["1.2.3.0/24", "4.5.6.0/24"]
+    device_vendor = "Cisco"
+    device_model  = "800"
+
+    resource_group = {
+      # lz_key = "vwans" # Set the 'lz_key' of a Resource Group created in a remote deployment
+      key = "hub_re1" # Set the 'key' of the Resource Group created in this (or a remote) deployment
+    }
+
+    virtual_wan = {
+      key = "vwan_re1" # Set the 'key' of the Virtual WAN created in this (or a remote) deployment
+      # lz_key = "vwans" # Set the 'lz_key' of a Virtual WAN created in a remote deployment
+      #
+      # or
+      #
+      # id = "/subscriptions/{subscriptionId}/resourceGroups/testRG/providers/Microsoft.Network/virtualHubs/westushub/hubRouteTables/defaultRouteTable" # Set the Resource ID of an existing Virtual WAN
+      # resource_id = "/subscriptions/[subscription_id]/resourceGroups/qaxu-rg-dns-domain-registrar/providers/Microsoft.Network/dnszones/ml0iaix4xgnz0jqd.com" # Set the Resource ID of an existing Virtual WAN
+    }
+
+    links = {
+      primary = {
+        name          = "primary"
+        ip_address    = "1.2.3.4"
+        provider_name = "Microsoft"
+        speed_in_mbps = "150"
+      }
+      secondary = {
+        name          = "secondary"
+        fqdn          = "secondary.link.com"
+        provider_name = "Microsoft"
+        speed_in_mbps = "50"
+        bgp = {
+          asn             = "65534"
+          peering_address = "169.254.1.2"
+        }
+      }
+    }
+  }
+}
diff --git a/examples/networking/virtual_wan/109-vwan-vpn-gateway-connection/virtual_wan.tfvars b/examples/networking/virtual_wan/109-vwan-vpn-gateway-connection/virtual_wan.tfvars
@@ -0,0 +1,167 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "southeastasia"
+  }
+}
+
+resource_groups = {
+  hub_re1 = {
+    name   = "vnet-hub-re1"
+    region = "region1"
+  }
+}
+
+virtual_wans = {
+  vwan_re1 = {
+    resource_group_key = "hub_re1"
+    name               = "contosovWAN-re1"
+    region             = "region1"
+
+    hubs = {
+      hub_re1 = {
+        hub_name           = "hub-re1"
+        region             = "region1"
+        hub_address_prefix = "10.0.3.0/24"
+        deploy_firewall    = false
+        deploy_p2s         = false
+        p2s_config         = {}
+        deploy_s2s         = true
+        s2s_config = {
+          name       = "caf-sea-vpn-s2s"
+          scale_unit = 1
+        }
+        deploy_er = false
+      }
+    }
+  }
+}
+
+virtual_hub_route_tables = {
+  routetable1 = {
+    name = "example-vhubroutetable1"
+
+    virtual_wan_key = "vwan_re1"
+    virtual_hub_key = "hub_re1"
+
+    labels = ["label1"]
+  }
+  routetable2 = {
+    name = "example-vhubroutetable2"
+
+    virtual_wan_key = "vwan_re1"
+    virtual_hub_key = "hub_re1"
+
+    labels = ["label2"]
+  }
+}
+
+vpn_sites = {
+  vpn-site-1 = {
+    name          = "vpn-site-1"
+    address_cidrs = ["1.2.3.0/24", "4.5.6.0/24"]
+    device_vendor = "Cisco"
+    device_model  = "800"
+
+    resource_group = {
+      key = "hub_re1"
+    }
+
+    virtual_wan = {
+      key = "vwan_re1"
+    }
+
+    links = {
+      primary = {
+        name          = "primary"
+        ip_address    = "1.2.3.4"
+        provider_name = "Microsoft"
+        speed_in_mbps = "150"
+      }
+      secondary = {
+        name          = "secondary"
+        fqdn          = "secondary.link.com"
+        provider_name = "Microsoft"
+        speed_in_mbps = "50"
+        bgp = {
+          asn             = "65534"
+          peering_address = "169.254.1.2"
+        }
+      }
+    }
+  }
+}
+
+vpn_gateway_connections = {
+  connection-1 = {
+    name                      = "connection-1"
+    internet_security_enabled = false
+
+    # vpn_site_id = "" # Set the Resource ID of an existing VPN Site
+    vpn_site = {
+      # lz_key = "vpns" # Set the 'lz_key' of a VPN Site created in a remote deployment
+      key = "vpn-site-1" # Set the 'key' of the VPN Site created in this (or a remote) deployment
+    }
+    virtual_wan = {
+      key = "vwan_re1"
+    }
+    # virtual_hub_gateway_id = "" # Set the Resource ID of an existing Virtual Hub's VPN Gateway
+    virtual_hub = {
+      # lz_key = "" # Set the 'lz_key' of a Virtual Hub created in a remote deployment
+      key = "hub_re1" # Set the 'key' of the Virtual Hub created in this (or a remote) deployment
+    }
+
+    vpn_links = {
+      link-1 = {
+        link_index                             = 0 # Index order of VPN Site's Link
+        name                                   = "link-1"
+        bandwidth_mbps                         = "100"       # Optional
+        bgp_enabled                            = true        # Optional
+        protocol                               = "IKEv2"     # Optional
+        ratelimit_enabled                      = true        # Optional
+        route_weight                           = "100"       # Optional
+        shared_key                             = "abc123456" # Optional
+        local_azure_ip_address_enabled         = false       # Optional
+        policy_based_traffic_selectors_enabled = false       # Optional
+
+        ipsec_policies = { # Optional
+          policy1 = {
+            dh_group                 = "DHGroup14"
+            ike_encryption_algorithm = "AES256"
+            ike_integrity_algorithm  = "SHA256"
+            encryption_algorithm     = "AES256"
+            integrity_algorithm      = "SHA256"
+            pfs_group                = "PFS14"
+            sa_data_size_kb          = "102400000"
+            sa_lifetime_sec          = "27000"
+          }
+        }
+      }
+      # link-2 = {
+      #   link_index = 1
+      #   name = "link-2"
+      # }
+    }
+
+    routing = { # Optional
+      associated_route_table = {
+        # id = "" # Set the Resource ID of an existing Virtual WAN Route Table
+        # lz_key = "" # Set the 'lz_key' of a Route Table created in a remote deployment
+        key = "routetable1" # Set the 'key' of the Route Table created in this (or a remote) deployment
+      }
+
+      propagated_route_tables = {
+        routetable1 = {
+          # id = "" # Set the Resource ID of an existing Virtual WAN Route Table
+          # lz_key = "" # Set the 'lz_key' of a Route Table created in a remote deployment
+          key = "routetable1" # Set the 'key' of the Route Table created in this (or a remote) deployment
+        }
+        routetable2 = {
+          # id = "" # Set the Resource ID of an existing Virtual WAN Route Table
+          # lz_key = "" # Set the 'lz_key' of a Route Table created in a remote deployment
+          key = "routetable2" # Set the 'key' of the Route Table created in this (or a remote) deployment
+        }
+      }
+    }
+  }
+}
diff --git a/landingzones/caf_example/README.md b/landingzones/caf_example/README.md
@@ -229,6 +229,8 @@ No resources.
 | virtual\_wans | n/a | `map` | `{}` | no |
 | vnet\_peerings | n/a | `map` | `{}` | no |
 | vnets | n/a | `map` | `{}` | no |
+| vpn_gateway_connections | n/a | `map` | `{}` | no |
+| vpn_sites | n/a | `map` | `{}` | no |
 
 ## Outputs
 

diff --git a/landingzones/caf_example/module.tf b/landingzones/caf_example/module.tf
@@ -117,6 +117,8 @@ module "example" {
     virtual_wans                                            = var.virtual_wans
     vnet_peerings                                           = var.vnet_peerings
     vnets                                                   = var.vnets
+    vpn_sites                                               = var.vpn_sites
+    vpn_gateway_connections                                 = var.vpn_gateway_connections
   }
 
   diagnostics = {

diff --git a/landingzones/caf_example/variables.tf b/landingzones/caf_example/variables.tf
@@ -508,3 +508,9 @@ variable "wvd_host_pools" {
 variable "lighthouse_definitions" {
   default = {}
 }
+variable "vpn_sites" {
+  default = {}
+}
+variable "vpn_gateway_connections" {
+  default = {}
+}
diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf
@@ -54,6 +54,8 @@ locals {
   combined_objects_virtual_hub_route_tables          = merge(tomap({ (local.client_config.landingzone_key) = azurerm_virtual_hub_route_table.route_table }), try(var.remote_objects.virtual_hub_route_tables, {}))
   combined_objects_virtual_hubs                      = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_hubs }), try(var.remote_objects.virtual_hubs, {}))
   combined_objects_virtual_wans                      = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_wans }), try(var.remote_objects.virtual_wans, {}))
+  combined_objects_vpn_gateway_connections           = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_gateway_connections }), try(var.remote_objects.vpn_gateway_connections, {}))
+  combined_objects_vpn_sites                         = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_sites }), try(var.remote_objects.vpn_sites, {}))
   combined_objects_wvd_application_groups            = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_application_groups }), try(var.remote_objects.wvd_application_groups, {}))
   combined_objects_wvd_host_pools                    = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_host_pools }), try(var.remote_objects.wvd_host_pools, {}))
   combined_objects_wvd_workspaces                    = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_workspaces }), try(var.remote_objects.wvd_workspaces, {}))

diff --git a/locals.tf b/locals.tf
@@ -202,6 +202,8 @@ locals {
     virtual_wans                                            = try(var.networking.virtual_wans, {})
     vnet_peerings                                           = try(var.networking.vnet_peerings, {})
     vnets                                                   = try(var.networking.vnets, {})
+    vpn_gateway_connections                                 = try(var.networking.vpn_gateway_connections, {})
+    vpn_sites                                               = try(var.networking.vpn_sites, {})
   }
 
   object_id = coalesce(var.logged_user_objectId, var.logged_aad_app_objectId, try(data.azurerm_client_config.current.object_id, null), try(data.azuread_service_principal.logged_in_app.0.object_id, null))

diff --git a/modules/networking/application_gateway/locals.backend_pools.tf b/modules/networking/application_gateway/locals.backend_pools.tf
@@ -33,7 +33,7 @@ locals {
           local.backend_pools_app_services[key],
           local.backend_pools_fqdn[key]
         ]
-      ),null)
+      ), null)
       ip_addresses = try(value.backend_pool.ip_addresses, null)
     }
   }

diff --git a/modules/networking/virtual_wan/virtual_hub/site_to_site_gateway.tf b/modules/networking/virtual_wan/virtual_hub/site_to_site_gateway.tf
@@ -38,15 +38,15 @@ resource "azurerm_vpn_gateway" "s2s_gateway" {
           custom_ips = var.virtual_hub_config.s2s_config.bgp_settings.instance_0_bgp_peering_address.custom_ips
         }
       }
-      
+
       dynamic "instance_1_bgp_peering_address" {
         for_each = try(var.virtual_hub_config.s2s_config.bgp_settings.instance_1_bgp_peering_address, null) == null ? [] : [1]
 
         content {
           custom_ips = var.virtual_hub_config.s2s_config.bgp_settings.instance_1_bgp_peering_address.custom_ips
         }
       }
-      
+
     }
   }
 

diff --git a/modules/networking/vpn_gateway_connection/main.tf b/modules/networking/vpn_gateway_connection/main.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    azurecaf = {
+      source = "aztfmod/azurecaf"
+    }
+  }
+}