Merge pull request #518 from carldjohnston/vpn-site

Add support for vpn_sites and vpn_gateway_connections
aztfmod · Jun 17, 2021 · e8ad55a · e8ad55a
2 parents af5bd6a + 27b0758
commit e8ad55a
Show file tree

Hide file tree

Showing 19 changed files with 479 additions and 3 deletions.
diff --git a/examples/networking/virtual_wan/108-vwan-vpn-site/virtual_wan.tfvars b/examples/networking/virtual_wan/108-vwan-vpn-site/virtual_wan.tfvars
@@ -0,0 +1,64 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "southeastasia"
+  }
+}
+
+resource_groups = {
+  hub_re1 = {
+    name   = "vnet-hub-re1"
+    region = "region1"
+  }
+}
+
+virtual_wans = {
+  vwan_re1 = {
+    resource_group_key = "hub_re1"
+    name               = "contosovWAN-re1"
+    region             = "region1"
+  }
+}
+
+vpn_sites = {
+  vpn-site-1 = {
+    name          = "vpn-site-1"
+    address_cidrs = ["1.2.3.0/24", "4.5.6.0/24"]
+    device_vendor = "Cisco"
+    device_model  = "800"
+
+    resource_group = {
+      # lz_key = "vwans" # Set the 'lz_key' of a Resource Group created in a remote deployment
+      key = "hub_re1" # Set the 'key' of the Resource Group created in this (or a remote) deployment
+    }
+
+    virtual_wan = {
+      key = "vwan_re1" # Set the 'key' of the Virtual WAN created in this (or a remote) deployment
+      # lz_key = "vwans" # Set the 'lz_key' of a Virtual WAN created in a remote deployment
+      #
+      # or
+      #
+      # id = "/subscriptions/{subscriptionId}/resourceGroups/testRG/providers/Microsoft.Network/virtualHubs/westushub/hubRouteTables/defaultRouteTable" # Set the Resource ID of an existing Virtual WAN
+      # resource_id = "/subscriptions/[subscription_id]/resourceGroups/qaxu-rg-dns-domain-registrar/providers/Microsoft.Network/dnszones/ml0iaix4xgnz0jqd.com" # Set the Resource ID of an existing Virtual WAN
+    }
+
+    links = {
+      primary = {
+        name          = "primary"
+        ip_address    = "1.2.3.4"
+        provider_name = "Microsoft"
+        speed_in_mbps = "150"
+      }
+      secondary = {
+        name          = "secondary"
+        fqdn          = "secondary.link.com"
+        provider_name = "Microsoft"
+        speed_in_mbps = "50"
+        bgp = {
+          asn             = "65534"
+          peering_address = "169.254.1.2"
+        }
+      }
+    }
+  }
+}
diff --git a/examples/networking/virtual_wan/109-vwan-vpn-gateway-connection/virtual_wan.tfvars b/examples/networking/virtual_wan/109-vwan-vpn-gateway-connection/virtual_wan.tfvars
@@ -0,0 +1,165 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "southeastasia"
+  }
+}
+
+resource_groups = {
+  hub_re1 = {
+    name   = "vnet-hub-re1"
+    region = "region1"
+  }
+}
+
+virtual_wans = {
+  vwan_re1 = {
+    resource_group_key = "hub_re1"
+    name               = "contosovWAN-re1"
+    region             = "region1"
+
+    hubs = {
+      hub_re1 = {
+        hub_name           = "hub-re1"
+        region             = "region1"
+        hub_address_prefix = "10.0.3.0/24"
+        deploy_firewall    = false
+        deploy_p2s         = false
+        p2s_config         = {}
+        deploy_s2s         = true
+        s2s_config = {
+          name       = "caf-sea-vpn-s2s"
+          scale_unit = 1
+        }
+        deploy_er = false
+      }
+    }
+  }
+}
+
+virtual_hub_route_tables = {
+  routetable1 = {
+    name = "example-vhubroutetable1"
+
+    virtual_wan_key = "vwan_re1"
+    virtual_hub_key = "hub_re1"
+
+    labels = ["label1"]
+  }
+  routetable2 = {
+    name = "example-vhubroutetable2"
+
+    virtual_wan_key = "vwan_re1"
+    virtual_hub_key = "hub_re1"
+
+    labels = ["label2"]
+  }
+}
+
+vpn_sites = {
+  vpn-site-1 = {
+    name          = "vpn-site-1"
+    address_cidrs = ["1.2.3.0/24", "4.5.6.0/24"]
+    device_vendor = "Cisco"
+    device_model  = "800"
+
+    resource_group = {
+      key = "hub_re1"
+    }
+
+    virtual_wan = {
+      key = "vwan_re1"
+    }
+
+    links = {
+      primary = {
+        name          = "primary"
+        ip_address    = "1.2.3.4"
+        provider_name = "Microsoft"
+        speed_in_mbps = "150"
+      }
+      secondary = {
+        name          = "secondary"
+        fqdn          = "secondary.link.com"
+        provider_name = "Microsoft"
+        speed_in_mbps = "50"
+        bgp = {
+          asn             = "65534"
+          peering_address = "169.254.1.2"
+        }
+      }
+    }
+  }
+}
+
+vpn_gateway_connections = {
+  connection-1 = {
+    name                      = "connection-1"
+    internet_security_enabled = false
+
+    # vpn_site_id = "" # Set the Resource ID of an existing VPN Site
+    vpn_site = {
+      # lz_key = "vpns" # Set the 'lz_key' of a VPN Site created in a remote deployment
+      key = "vpn-site-1" # Set the 'key' of the VPN Site created in this (or a remote) deployment
+    }
+
+    # virtual_hub_gateway_id = "" # Set the Resource ID of an existing Virtual Hub's VPN Gateway
+    virtual_hub = {
+      # lz_key = "" # Set the 'lz_key' of a Virtual Hub created in a remote deployment
+      key = "hub_re1" # Set the 'key' of the Virtual Hub created in this (or a remote) deployment
+    }
+
+    vpn_links = {
+      link-1 = {
+        link_index                             = 0 # Index order of VPN Site's Link
+        name                                   = "link-1"
+        bandwidth_mbps                         = "100"       # Optional
+        bgp_enabled                            = true        # Optional
+        protocol                               = "IKEv2"     # Optional
+        ratelimit_enabled                      = true        # Optional
+        route_weight                           = "100"       # Optional
+        shared_key                             = "abc123456" # Optional
+        local_azure_ip_address_enabled         = false       # Optional
+        policy_based_traffic_selectors_enabled = false       # Optional
+
+        ipsec_policies = { # Optional
+          policy1 = {
+            dh_group                 = "DHGroup14"
+            ike_encryption_algorithm = "AES256"
+            ike_integrity_algorithm  = "SHA256"
+            encryption_algorithm     = "AES256"
+            integrity_algorithm      = "SHA256"
+            pfs_group                = "PFS14"
+            sa_data_size_kb          = "102400000"
+            sa_lifetime_sec          = "27000"
+          }
+        }
+      }
+      # link-2 = {
+      #   link_index = 1
+      #   name = "link-2"
+      # }
+    }
+
+    routing = { # Optional
+      associated_route_table = {
+        # id = "" # Set the Resource ID of an existing Virtual WAN Route Table
+        # lz_key = "" # Set the 'lz_key' of a Route Table created in a remote deployment
+        key = "routetable1" # Set the 'key' of the Route Table created in this (or a remote) deployment
+      }
+
+      propagated_route_tables = {
+        routetable1 = {
+          # id = "" # Set the Resource ID of an existing Virtual WAN Route Table
+          # lz_key = "" # Set the 'lz_key' of a Route Table created in a remote deployment
+          key = "routetable1" # Set the 'key' of the Route Table created in this (or a remote) deployment
+        }
+        routetable2 = {
+          # id = "" # Set the Resource ID of an existing Virtual WAN Route Table
+          # lz_key = "" # Set the 'lz_key' of a Route Table created in a remote deployment
+          key = "routetable2" # Set the 'key' of the Route Table created in this (or a remote) deployment
+        }
+      }
+    }
+  }
+}
diff --git a/landingzones/caf_example/README.md b/landingzones/caf_example/README.md
@@ -229,6 +229,8 @@ No resources.
 | virtual\_wans | n/a | `map` | `{}` | no |
 | vnet\_peerings | n/a | `map` | `{}` | no |
 | vnets | n/a | `map` | `{}` | no |
+| vpn_gateway_connections | n/a | `map` | `{}` | no |
+| vpn_sites | n/a | `map` | `{}` | no |
 
 ## Outputs
 

diff --git a/landingzones/caf_example/module.tf b/landingzones/caf_example/module.tf
@@ -117,6 +117,8 @@ module "example" {
     virtual_wans                                            = var.virtual_wans
     vnet_peerings                                           = var.vnet_peerings
     vnets                                                   = var.vnets
+    vpn_sites                                               = var.vpn_sites
+    vpn_gateway_connections                                 = var.vpn_gateway_connections
   }
 
   diagnostics = {

diff --git a/landingzones/caf_example/variables.tf b/landingzones/caf_example/variables.tf
@@ -508,3 +508,9 @@ variable "wvd_host_pools" {
 variable "lighthouse_definitions" {
   default = {}
 }
+variable "vpn_sites" {
+  default = {}
+}
+variable "vpn_gateway_connections" {
+  default = {}
+}
diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf
@@ -54,6 +54,8 @@ locals {
   combined_objects_virtual_hub_route_tables          = merge(tomap({ (local.client_config.landingzone_key) = azurerm_virtual_hub_route_table.route_table }), try(var.remote_objects.virtual_hub_route_tables, {}))
   combined_objects_virtual_hubs                      = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_hubs }), try(var.remote_objects.virtual_hubs, {}))
   combined_objects_virtual_wans                      = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_wans }), try(var.remote_objects.virtual_wans, {}))
+  combined_objects_vpn_gateway_connections           = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_gateway_connections }), try(var.remote_objects.vpn_gateway_connections, {}))
+  combined_objects_vpn_sites                         = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_sites }), try(var.remote_objects.vpn_sites, {}))
   combined_objects_wvd_application_groups            = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_application_groups }), try(var.remote_objects.wvd_application_groups, {}))
   combined_objects_wvd_host_pools                    = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_host_pools }), try(var.remote_objects.wvd_host_pools, {}))
   combined_objects_wvd_workspaces                    = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_workspaces }), try(var.remote_objects.wvd_workspaces, {}))

diff --git a/locals.tf b/locals.tf
@@ -202,6 +202,8 @@ locals {
     virtual_wans                                            = try(var.networking.virtual_wans, {})
     vnet_peerings                                           = try(var.networking.vnet_peerings, {})
     vnets                                                   = try(var.networking.vnets, {})
+    vpn_gateway_connections                                 = try(var.networking.vpn_gateway_connections, {})
+    vpn_sites                                               = try(var.networking.vpn_sites, {})
   }
 
   object_id = coalesce(var.logged_user_objectId, var.logged_aad_app_objectId, try(data.azurerm_client_config.current.object_id, null), try(data.azuread_service_principal.logged_in_app.0.object_id, null))

diff --git a/modules/networking/application_gateway/locals.backend_pools.tf b/modules/networking/application_gateway/locals.backend_pools.tf
@@ -33,7 +33,7 @@ locals {
           local.backend_pools_app_services[key],
           local.backend_pools_fqdn[key]
         ]
-      ),null)
+      ), null)
       ip_addresses = try(value.backend_pool.ip_addresses, null)
     }
   }

diff --git a/modules/networking/virtual_wan/virtual_hub/site_to_site_gateway.tf b/modules/networking/virtual_wan/virtual_hub/site_to_site_gateway.tf
@@ -38,15 +38,15 @@ resource "azurerm_vpn_gateway" "s2s_gateway" {
           custom_ips = var.virtual_hub_config.s2s_config.bgp_settings.instance_0_bgp_peering_address.custom_ips
         }
       }
-      
+
       dynamic "instance_1_bgp_peering_address" {
         for_each = try(var.virtual_hub_config.s2s_config.bgp_settings.instance_1_bgp_peering_address, null) == null ? [] : [1]
 
         content {
           custom_ips = var.virtual_hub_config.s2s_config.bgp_settings.instance_1_bgp_peering_address.custom_ips
         }
       }
-      
+
     }
   }
 

diff --git a/modules/networking/vpn_gateway_connection/main.tf b/modules/networking/vpn_gateway_connection/main.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    azurecaf = {
+      source = "aztfmod/azurecaf"
+    }
+  }
+}
diff --git a/modules/networking/vpn_gateway_connection/module.tf b/modules/networking/vpn_gateway_connection/module.tf
@@ -0,0 +1,71 @@
+resource "azurecaf_name" "vpn_gateway_connection" {
+  name          = var.settings.name
+  resource_type = "azurerm_virtual_network_gateway" # TODO "azurerm_vpn_gateway_connection"
+  prefixes      = var.global_settings.prefixes
+  random_length = var.global_settings.random_length
+  clean_input   = true
+  passthrough   = var.global_settings.passthrough
+  use_slug      = var.global_settings.use_slug
+}
+
+resource "azurerm_vpn_gateway_connection" "vpn_gateway_connection" {
+  name                      = azurecaf_name.vpn_gateway_connection.result
+  vpn_gateway_id            = var.vpn_gateway_id
+  internet_security_enabled = var.settings.internet_security_enabled
+
+  remote_vpn_site_id = coalesce(
+    try(var.vpn_sites[try(var.settings.vpn_site.lz_key, var.client_config.landingzone_key)][var.settings.vpn_site.key].vpn_site.id, null),
+    try(var.settings.vpn_site_id, null)
+  )
+
+  dynamic "vpn_link" {
+    for_each = var.settings.vpn_links
+    content {
+      name                                  = vpn_link.value.name
+      bandwidth_mbps                        = try(vpn_link.value.bandwidth_mbps, null)
+      bgp_enabled                           = try(vpn_link.value.bgp_enabled, null)
+      protocol                              = try(vpn_link.value.protocol, null)
+      ratelimit_enabled                     = try(vpn_link.value.ratelimit_enabled, null)
+      route_weight                          = try(vpn_link.value.route_weight, null)
+      shared_key                            = try(vpn_link.value.shared_key, null)
+      local_azure_ip_address_enabled        = try(vpn_link.value.local_azure_ip_address_enabled, null)
+      policy_based_traffic_selector_enabled = try(vpn_link.value.policy_based_traffic_selector_enabled, null)
+
+      vpn_site_link_id = coalesce(
+        try(var.vpn_sites[try(var.settings.vpn_site.lz_key, var.client_config.landingzone_key)][var.settings.vpn_site.key].vpn_site.link[vpn_link.value.link_index].id, null),
+        try(vpn_link.value.vpn_link_id, null)
+      )
+
+      dynamic "ipsec_policy" {
+        for_each = vpn_link.value.ipsec_policies
+        content {
+          dh_group                 = ipsec_policy.value.dh_group
+          ike_encryption_algorithm = ipsec_policy.value.ike_encryption_algorithm
+          ike_integrity_algorithm  = ipsec_policy.value.ike_integrity_algorithm
+          encryption_algorithm     = ipsec_policy.value.encryption_algorithm
+          integrity_algorithm      = ipsec_policy.value.integrity_algorithm
+          pfs_group                = ipsec_policy.value.pfs_group
+          sa_data_size_kb          = ipsec_policy.value.sa_data_size_kb
+          sa_lifetime_sec          = ipsec_policy.value.sa_lifetime_sec
+        }
+      }
+    }
+  }
+
+  dynamic "routing" {
+    for_each = lookup(var.settings, "routing", null) == null ? [] : [1]
+    content {
+      associated_route_table = coalesce(
+        try(var.route_tables[try(var.settings.routing.associated_route_table.lz_key, var.client_config.landingzone_key)][var.settings.routing.associated_route_table.key].id, null),
+        try(var.settings.routing.associated_route_table.id, null)
+      )
+
+      propagated_route_tables = [
+        for key, value in var.settings.routing.propagated_route_tables : coalesce(
+          try(var.route_tables[try(value.lz_key, var.client_config.landingzone_key)][value.key].id, null),
+          try(value.id, null)
+        )
+      ]
+    }
+  }
+}
diff --git a/modules/networking/vpn_gateway_connection/output.tf b/modules/networking/vpn_gateway_connection/output.tf
@@ -0,0 +1,4 @@
+output "vpn_gateway_connection" {
+  value       = azurerm_vpn_gateway_connection.vpn_gateway_connection
+  description = "VPN Gateway Connection object"
+}
diff --git a/modules/networking/vpn_gateway_connection/variables.tf b/modules/networking/vpn_gateway_connection/variables.tf
@@ -0,0 +1,8 @@
+variable "settings" {}
+variable "global_settings" {
+  description = "Global settings object (see module README.md)"
+}
+variable "vpn_gateway_id" {}
+variable "vpn_sites" {}
+variable "client_config" {}
+variable "route_tables" {}