-
Notifications
You must be signed in to change notification settings - Fork 689
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #518 from carldjohnston/vpn-site
Add support for vpn_sites and vpn_gateway_connections
- Loading branch information
Showing
19 changed files
with
479 additions
and
3 deletions.
There are no files selected for viewing
64 changes: 64 additions & 0 deletions
64
examples/networking/virtual_wan/108-vwan-vpn-site/virtual_wan.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
global_settings = { | ||
default_region = "region1" | ||
regions = { | ||
region1 = "southeastasia" | ||
} | ||
} | ||
|
||
resource_groups = { | ||
hub_re1 = { | ||
name = "vnet-hub-re1" | ||
region = "region1" | ||
} | ||
} | ||
|
||
virtual_wans = { | ||
vwan_re1 = { | ||
resource_group_key = "hub_re1" | ||
name = "contosovWAN-re1" | ||
region = "region1" | ||
} | ||
} | ||
|
||
vpn_sites = { | ||
vpn-site-1 = { | ||
name = "vpn-site-1" | ||
address_cidrs = ["1.2.3.0/24", "4.5.6.0/24"] | ||
device_vendor = "Cisco" | ||
device_model = "800" | ||
|
||
resource_group = { | ||
# lz_key = "vwans" # Set the 'lz_key' of a Resource Group created in a remote deployment | ||
key = "hub_re1" # Set the 'key' of the Resource Group created in this (or a remote) deployment | ||
} | ||
|
||
virtual_wan = { | ||
key = "vwan_re1" # Set the 'key' of the Virtual WAN created in this (or a remote) deployment | ||
# lz_key = "vwans" # Set the 'lz_key' of a Virtual WAN created in a remote deployment | ||
# | ||
# or | ||
# | ||
# id = "/subscriptions/{subscriptionId}/resourceGroups/testRG/providers/Microsoft.Network/virtualHubs/westushub/hubRouteTables/defaultRouteTable" # Set the Resource ID of an existing Virtual WAN | ||
# resource_id = "/subscriptions/[subscription_id]/resourceGroups/qaxu-rg-dns-domain-registrar/providers/Microsoft.Network/dnszones/ml0iaix4xgnz0jqd.com" # Set the Resource ID of an existing Virtual WAN | ||
} | ||
|
||
links = { | ||
primary = { | ||
name = "primary" | ||
ip_address = "1.2.3.4" | ||
provider_name = "Microsoft" | ||
speed_in_mbps = "150" | ||
} | ||
secondary = { | ||
name = "secondary" | ||
fqdn = "secondary.link.com" | ||
provider_name = "Microsoft" | ||
speed_in_mbps = "50" | ||
bgp = { | ||
asn = "65534" | ||
peering_address = "169.254.1.2" | ||
} | ||
} | ||
} | ||
} | ||
} |
165 changes: 165 additions & 0 deletions
165
examples/networking/virtual_wan/109-vwan-vpn-gateway-connection/virtual_wan.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,165 @@ | ||
global_settings = { | ||
default_region = "region1" | ||
regions = { | ||
region1 = "southeastasia" | ||
} | ||
} | ||
|
||
resource_groups = { | ||
hub_re1 = { | ||
name = "vnet-hub-re1" | ||
region = "region1" | ||
} | ||
} | ||
|
||
virtual_wans = { | ||
vwan_re1 = { | ||
resource_group_key = "hub_re1" | ||
name = "contosovWAN-re1" | ||
region = "region1" | ||
|
||
hubs = { | ||
hub_re1 = { | ||
hub_name = "hub-re1" | ||
region = "region1" | ||
hub_address_prefix = "10.0.3.0/24" | ||
deploy_firewall = false | ||
deploy_p2s = false | ||
p2s_config = {} | ||
deploy_s2s = true | ||
s2s_config = { | ||
name = "caf-sea-vpn-s2s" | ||
scale_unit = 1 | ||
} | ||
deploy_er = false | ||
} | ||
} | ||
} | ||
} | ||
|
||
virtual_hub_route_tables = { | ||
routetable1 = { | ||
name = "example-vhubroutetable1" | ||
|
||
virtual_wan_key = "vwan_re1" | ||
virtual_hub_key = "hub_re1" | ||
|
||
labels = ["label1"] | ||
} | ||
routetable2 = { | ||
name = "example-vhubroutetable2" | ||
|
||
virtual_wan_key = "vwan_re1" | ||
virtual_hub_key = "hub_re1" | ||
|
||
labels = ["label2"] | ||
} | ||
} | ||
|
||
vpn_sites = { | ||
vpn-site-1 = { | ||
name = "vpn-site-1" | ||
address_cidrs = ["1.2.3.0/24", "4.5.6.0/24"] | ||
device_vendor = "Cisco" | ||
device_model = "800" | ||
|
||
resource_group = { | ||
key = "hub_re1" | ||
} | ||
|
||
virtual_wan = { | ||
key = "vwan_re1" | ||
} | ||
|
||
links = { | ||
primary = { | ||
name = "primary" | ||
ip_address = "1.2.3.4" | ||
provider_name = "Microsoft" | ||
speed_in_mbps = "150" | ||
} | ||
secondary = { | ||
name = "secondary" | ||
fqdn = "secondary.link.com" | ||
provider_name = "Microsoft" | ||
speed_in_mbps = "50" | ||
bgp = { | ||
asn = "65534" | ||
peering_address = "169.254.1.2" | ||
} | ||
} | ||
} | ||
} | ||
} | ||
|
||
vpn_gateway_connections = { | ||
connection-1 = { | ||
name = "connection-1" | ||
internet_security_enabled = false | ||
|
||
# vpn_site_id = "" # Set the Resource ID of an existing VPN Site | ||
vpn_site = { | ||
# lz_key = "vpns" # Set the 'lz_key' of a VPN Site created in a remote deployment | ||
key = "vpn-site-1" # Set the 'key' of the VPN Site created in this (or a remote) deployment | ||
} | ||
|
||
# virtual_hub_gateway_id = "" # Set the Resource ID of an existing Virtual Hub's VPN Gateway | ||
virtual_hub = { | ||
# lz_key = "" # Set the 'lz_key' of a Virtual Hub created in a remote deployment | ||
key = "hub_re1" # Set the 'key' of the Virtual Hub created in this (or a remote) deployment | ||
} | ||
|
||
vpn_links = { | ||
link-1 = { | ||
link_index = 0 # Index order of VPN Site's Link | ||
name = "link-1" | ||
bandwidth_mbps = "100" # Optional | ||
bgp_enabled = true # Optional | ||
protocol = "IKEv2" # Optional | ||
ratelimit_enabled = true # Optional | ||
route_weight = "100" # Optional | ||
shared_key = "abc123456" # Optional | ||
local_azure_ip_address_enabled = false # Optional | ||
policy_based_traffic_selectors_enabled = false # Optional | ||
|
||
ipsec_policies = { # Optional | ||
policy1 = { | ||
dh_group = "DHGroup14" | ||
ike_encryption_algorithm = "AES256" | ||
ike_integrity_algorithm = "SHA256" | ||
encryption_algorithm = "AES256" | ||
integrity_algorithm = "SHA256" | ||
pfs_group = "PFS14" | ||
sa_data_size_kb = "102400000" | ||
sa_lifetime_sec = "27000" | ||
} | ||
} | ||
} | ||
# link-2 = { | ||
# link_index = 1 | ||
# name = "link-2" | ||
# } | ||
} | ||
|
||
routing = { # Optional | ||
associated_route_table = { | ||
# id = "" # Set the Resource ID of an existing Virtual WAN Route Table | ||
# lz_key = "" # Set the 'lz_key' of a Route Table created in a remote deployment | ||
key = "routetable1" # Set the 'key' of the Route Table created in this (or a remote) deployment | ||
} | ||
|
||
propagated_route_tables = { | ||
routetable1 = { | ||
# id = "" # Set the Resource ID of an existing Virtual WAN Route Table | ||
# lz_key = "" # Set the 'lz_key' of a Route Table created in a remote deployment | ||
key = "routetable1" # Set the 'key' of the Route Table created in this (or a remote) deployment | ||
} | ||
routetable2 = { | ||
# id = "" # Set the Resource ID of an existing Virtual WAN Route Table | ||
# lz_key = "" # Set the 'lz_key' of a Route Table created in a remote deployment | ||
key = "routetable2" # Set the 'key' of the Route Table created in this (or a remote) deployment | ||
} | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
terraform { | ||
required_providers { | ||
azurecaf = { | ||
source = "aztfmod/azurecaf" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
resource "azurecaf_name" "vpn_gateway_connection" { | ||
name = var.settings.name | ||
resource_type = "azurerm_virtual_network_gateway" # TODO "azurerm_vpn_gateway_connection" | ||
prefixes = var.global_settings.prefixes | ||
random_length = var.global_settings.random_length | ||
clean_input = true | ||
passthrough = var.global_settings.passthrough | ||
use_slug = var.global_settings.use_slug | ||
} | ||
|
||
resource "azurerm_vpn_gateway_connection" "vpn_gateway_connection" { | ||
name = azurecaf_name.vpn_gateway_connection.result | ||
vpn_gateway_id = var.vpn_gateway_id | ||
internet_security_enabled = var.settings.internet_security_enabled | ||
|
||
remote_vpn_site_id = coalesce( | ||
try(var.vpn_sites[try(var.settings.vpn_site.lz_key, var.client_config.landingzone_key)][var.settings.vpn_site.key].vpn_site.id, null), | ||
try(var.settings.vpn_site_id, null) | ||
) | ||
|
||
dynamic "vpn_link" { | ||
for_each = var.settings.vpn_links | ||
content { | ||
name = vpn_link.value.name | ||
bandwidth_mbps = try(vpn_link.value.bandwidth_mbps, null) | ||
bgp_enabled = try(vpn_link.value.bgp_enabled, null) | ||
protocol = try(vpn_link.value.protocol, null) | ||
ratelimit_enabled = try(vpn_link.value.ratelimit_enabled, null) | ||
route_weight = try(vpn_link.value.route_weight, null) | ||
shared_key = try(vpn_link.value.shared_key, null) | ||
local_azure_ip_address_enabled = try(vpn_link.value.local_azure_ip_address_enabled, null) | ||
policy_based_traffic_selector_enabled = try(vpn_link.value.policy_based_traffic_selector_enabled, null) | ||
|
||
vpn_site_link_id = coalesce( | ||
try(var.vpn_sites[try(var.settings.vpn_site.lz_key, var.client_config.landingzone_key)][var.settings.vpn_site.key].vpn_site.link[vpn_link.value.link_index].id, null), | ||
try(vpn_link.value.vpn_link_id, null) | ||
) | ||
|
||
dynamic "ipsec_policy" { | ||
for_each = vpn_link.value.ipsec_policies | ||
content { | ||
dh_group = ipsec_policy.value.dh_group | ||
ike_encryption_algorithm = ipsec_policy.value.ike_encryption_algorithm | ||
ike_integrity_algorithm = ipsec_policy.value.ike_integrity_algorithm | ||
encryption_algorithm = ipsec_policy.value.encryption_algorithm | ||
integrity_algorithm = ipsec_policy.value.integrity_algorithm | ||
pfs_group = ipsec_policy.value.pfs_group | ||
sa_data_size_kb = ipsec_policy.value.sa_data_size_kb | ||
sa_lifetime_sec = ipsec_policy.value.sa_lifetime_sec | ||
} | ||
} | ||
} | ||
} | ||
|
||
dynamic "routing" { | ||
for_each = lookup(var.settings, "routing", null) == null ? [] : [1] | ||
content { | ||
associated_route_table = coalesce( | ||
try(var.route_tables[try(var.settings.routing.associated_route_table.lz_key, var.client_config.landingzone_key)][var.settings.routing.associated_route_table.key].id, null), | ||
try(var.settings.routing.associated_route_table.id, null) | ||
) | ||
|
||
propagated_route_tables = [ | ||
for key, value in var.settings.routing.propagated_route_tables : coalesce( | ||
try(var.route_tables[try(value.lz_key, var.client_config.landingzone_key)][value.key].id, null), | ||
try(value.id, null) | ||
) | ||
] | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
output "vpn_gateway_connection" { | ||
value = azurerm_vpn_gateway_connection.vpn_gateway_connection | ||
description = "VPN Gateway Connection object" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
variable "settings" {} | ||
variable "global_settings" { | ||
description = "Global settings object (see module README.md)" | ||
} | ||
variable "vpn_gateway_id" {} | ||
variable "vpn_sites" {} | ||
variable "client_config" {} | ||
variable "route_tables" {} |
Oops, something went wrong.