From a151ddd8f74416cb64e988ac0b125e6d01951bef Mon Sep 17 00:00:00 2001 From: Carl Johnston Date: Wed, 16 Jun 2021 04:32:09 +0000 Subject: [PATCH 1/3] Terraform formatting --- .../networking/application_gateway/locals.backend_pools.tf | 2 +- .../virtual_wan/virtual_hub/site_to_site_gateway.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/networking/application_gateway/locals.backend_pools.tf b/modules/networking/application_gateway/locals.backend_pools.tf index 5ee6f22b74..70536a5a19 100644 --- a/modules/networking/application_gateway/locals.backend_pools.tf +++ b/modules/networking/application_gateway/locals.backend_pools.tf @@ -33,7 +33,7 @@ locals { local.backend_pools_app_services[key], local.backend_pools_fqdn[key] ] - ),null) + ), null) ip_addresses = try(value.backend_pool.ip_addresses, null) } } diff --git a/modules/networking/virtual_wan/virtual_hub/site_to_site_gateway.tf b/modules/networking/virtual_wan/virtual_hub/site_to_site_gateway.tf index 270d0091f2..da3c99ff12 100644 --- a/modules/networking/virtual_wan/virtual_hub/site_to_site_gateway.tf +++ b/modules/networking/virtual_wan/virtual_hub/site_to_site_gateway.tf @@ -38,7 +38,7 @@ resource "azurerm_vpn_gateway" "s2s_gateway" { custom_ips = var.virtual_hub_config.s2s_config.bgp_settings.instance_0_bgp_peering_address.custom_ips } } - + dynamic "instance_1_bgp_peering_address" { for_each = try(var.virtual_hub_config.s2s_config.bgp_settings.instance_1_bgp_peering_address, null) == null ? [] : [1] @@ -46,7 +46,7 @@ resource "azurerm_vpn_gateway" "s2s_gateway" { custom_ips = var.virtual_hub_config.s2s_config.bgp_settings.instance_1_bgp_peering_address.custom_ips } } - + } } From 84adaa0b80d27c71fe1cf0c34f41daee343cc42b Mon Sep 17 00:00:00 2001 From: Carl Johnston Date: Tue, 8 Jun 2021 06:10:38 +0000 Subject: [PATCH 2/3] Added support for vpn_sites --- .../108-vwan-vpn-site/virtual_wan.tfvars | 64 +++++++++++++++++++ landingzones/caf_example/README.md | 1 + landingzones/caf_example/module.tf | 1 + landingzones/caf_example/variables.tf | 3 + locals.combined_objects.tf | 1 + locals.tf | 1 + modules/networking/vpn_site/main.tf | 14 ++++ modules/networking/vpn_site/module.tf | 39 +++++++++++ modules/networking/vpn_site/output.tf | 4 ++ modules/networking/vpn_site/variables.tf | 17 +++++ networking_vpn_site.tf | 42 ++++++++++++ 11 files changed, 187 insertions(+) create mode 100644 examples/networking/virtual_wan/108-vwan-vpn-site/virtual_wan.tfvars create mode 100644 modules/networking/vpn_site/main.tf create mode 100644 modules/networking/vpn_site/module.tf create mode 100755 modules/networking/vpn_site/output.tf create mode 100755 modules/networking/vpn_site/variables.tf create mode 100644 networking_vpn_site.tf diff --git a/examples/networking/virtual_wan/108-vwan-vpn-site/virtual_wan.tfvars b/examples/networking/virtual_wan/108-vwan-vpn-site/virtual_wan.tfvars new file mode 100644 index 0000000000..599d79fcbf --- /dev/null +++ b/examples/networking/virtual_wan/108-vwan-vpn-site/virtual_wan.tfvars @@ -0,0 +1,64 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "southeastasia" + } +} + +resource_groups = { + hub_re1 = { + name = "vnet-hub-re1" + region = "region1" + } +} + +virtual_wans = { + vwan_re1 = { + resource_group_key = "hub_re1" + name = "contosovWAN-re1" + region = "region1" + } +} + +vpn_sites = { + vpn-site-1 = { + name = "vpn-site-1" + address_cidrs = ["1.2.3.0/24", "4.5.6.0/24"] + device_vendor = "Cisco" + device_model = "800" + + resource_group = { + # lz_key = "vwans" # Set the 'lz_key' of a Resource Group created in a remote deployment + key = "hub_re1" # Set the 'key' of the Resource Group created in this (or a remote) deployment + } + + virtual_wan = { + key = "vwan_re1" # Set the 'key' of the Virtual WAN created in this (or a remote) deployment + # lz_key = "vwans" # Set the 'lz_key' of a Virtual WAN created in a remote deployment + # + # or + # + # id = "/subscriptions/{subscriptionId}/resourceGroups/testRG/providers/Microsoft.Network/virtualHubs/westushub/hubRouteTables/defaultRouteTable" # Set the Resource ID of an existing Virtual WAN + # resource_id = "/subscriptions/[subscription_id]/resourceGroups/qaxu-rg-dns-domain-registrar/providers/Microsoft.Network/dnszones/ml0iaix4xgnz0jqd.com" # Set the Resource ID of an existing Virtual WAN + } + + links = { + primary = { + name = "primary" + ip_address = "1.2.3.4" + provider_name = "Microsoft" + speed_in_mbps = "150" + } + secondary = { + name = "secondary" + fqdn = "secondary.link.com" + provider_name = "Microsoft" + speed_in_mbps = "50" + bgp = { + asn = "65534" + peering_address = "169.254.1.2" + } + } + } + } +} diff --git a/landingzones/caf_example/README.md b/landingzones/caf_example/README.md index 379d6303d5..65d7de1c98 100755 --- a/landingzones/caf_example/README.md +++ b/landingzones/caf_example/README.md @@ -229,6 +229,7 @@ No resources. | virtual\_wans | n/a | `map` | `{}` | no | | vnet\_peerings | n/a | `map` | `{}` | no | | vnets | n/a | `map` | `{}` | no | +| vpn_sites | n/a | `map` | `{}` | no | ## Outputs diff --git a/landingzones/caf_example/module.tf b/landingzones/caf_example/module.tf index 9d7633a8b9..0d9d70170e 100644 --- a/landingzones/caf_example/module.tf +++ b/landingzones/caf_example/module.tf @@ -117,6 +117,7 @@ module "example" { virtual_wans = var.virtual_wans vnet_peerings = var.vnet_peerings vnets = var.vnets + vpn_sites = var.vpn_sites } diagnostics = { diff --git a/landingzones/caf_example/variables.tf b/landingzones/caf_example/variables.tf index 3d0a9070d3..c91c727289 100755 --- a/landingzones/caf_example/variables.tf +++ b/landingzones/caf_example/variables.tf @@ -508,3 +508,6 @@ variable "wvd_host_pools" { variable "lighthouse_definitions" { default = {} } +variable "vpn_sites" { + default = {} +} \ No newline at end of file diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 8f7aa4bf18..8c0266ae56 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -54,6 +54,7 @@ locals { combined_objects_virtual_hub_route_tables = merge(tomap({ (local.client_config.landingzone_key) = azurerm_virtual_hub_route_table.route_table }), try(var.remote_objects.virtual_hub_route_tables, {})) combined_objects_virtual_hubs = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_hubs }), try(var.remote_objects.virtual_hubs, {})) combined_objects_virtual_wans = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_wans }), try(var.remote_objects.virtual_wans, {})) + combined_objects_vpn_sites = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_sites }), try(var.remote_objects.vpn_sites, {})) combined_objects_wvd_application_groups = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_application_groups }), try(var.remote_objects.wvd_application_groups, {})) combined_objects_wvd_host_pools = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_host_pools }), try(var.remote_objects.wvd_host_pools, {})) combined_objects_wvd_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_workspaces }), try(var.remote_objects.wvd_workspaces, {})) diff --git a/locals.tf b/locals.tf index caf88c8d12..6835b8b223 100755 --- a/locals.tf +++ b/locals.tf @@ -202,6 +202,7 @@ locals { virtual_wans = try(var.networking.virtual_wans, {}) vnet_peerings = try(var.networking.vnet_peerings, {}) vnets = try(var.networking.vnets, {}) + vpn_sites = try(var.networking.vpn_sites, {}) } object_id = coalesce(var.logged_user_objectId, var.logged_aad_app_objectId, try(data.azurerm_client_config.current.object_id, null), try(data.azuread_service_principal.logged_in_app.0.object_id, null)) diff --git a/modules/networking/vpn_site/main.tf b/modules/networking/vpn_site/main.tf new file mode 100644 index 0000000000..4a54194d01 --- /dev/null +++ b/modules/networking/vpn_site/main.tf @@ -0,0 +1,14 @@ +locals { + module_tag = { + "module" = basename(abspath(path.module)) + } + tags = merge(var.base_tags, local.module_tag, try(var.settings.tags, null)) +} + +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } +} diff --git a/modules/networking/vpn_site/module.tf b/modules/networking/vpn_site/module.tf new file mode 100644 index 0000000000..16b22c73d0 --- /dev/null +++ b/modules/networking/vpn_site/module.tf @@ -0,0 +1,39 @@ +resource "azurecaf_name" "vpn_site" { + name = var.settings.name + resource_type = "azurerm_point_to_site_vpn_gateway" # TODO "azurerm_vpn_site" + prefixes = var.global_settings.prefixes + random_length = var.global_settings.random_length + clean_input = true + passthrough = var.global_settings.passthrough + use_slug = var.global_settings.use_slug +} + +resource "azurerm_vpn_site" "vpn_site" { + name = azurecaf_name.vpn_site.result + location = var.location + resource_group_name = var.resource_group_name + virtual_wan_id = var.virtual_wan_id + address_cidrs = try(var.settings.address_cidrs, null) + device_model = try(var.settings.device_model, null) + device_vendor = try(var.settings.device_vendor, null) + tags = local.tags + + dynamic "link" { + for_each = try(var.settings.links, {}) + content { + name = link.value.name + ip_address = try(link.value.ip_address, null) + fqdn = try(link.value.fqdn, null) + provider_name = try(link.value.provider_name, null) + speed_in_mbps = try(link.value.speed_in_mbps, null) + + dynamic "bgp" { + for_each = try([link.value.bgp], []) # TODO - Check this works + content { + asn = bgp.value.asn + peering_address = bgp.value.peering_address + } + } + } + } +} diff --git a/modules/networking/vpn_site/output.tf b/modules/networking/vpn_site/output.tf new file mode 100755 index 0000000000..36e43817e5 --- /dev/null +++ b/modules/networking/vpn_site/output.tf @@ -0,0 +1,4 @@ +output "vpn_site" { + value = azurerm_vpn_site.vpn_site + description = "VPN Site object" +} diff --git a/modules/networking/vpn_site/variables.tf b/modules/networking/vpn_site/variables.tf new file mode 100755 index 0000000000..f494c1be93 --- /dev/null +++ b/modules/networking/vpn_site/variables.tf @@ -0,0 +1,17 @@ +variable "resource_group_name" { + description = "(Required) The name of the resource group where to create the resource." + type = string +} +variable "location" { + description = "(Required) Specifies the supported Azure location where to create the resource. Changing this forces a new resource to be created." + type = string +} +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = map(any) +} +variable "settings" {} +variable "global_settings" { + description = "Global settings object (see module README.md)" +} +variable "virtual_wan_id" {} diff --git a/networking_vpn_site.tf b/networking_vpn_site.tf new file mode 100644 index 0000000000..d5e73347f8 --- /dev/null +++ b/networking_vpn_site.tf @@ -0,0 +1,42 @@ + +# +# +# VPN Sites +# +# + +output "vpn_sites" { + value = module.vpn_sites +} + +module "vpn_sites" { + depends_on = [module.virtual_wans] + source = "./modules/networking/vpn_site" + for_each = local.networking.vpn_sites + + global_settings = local.global_settings + settings = each.value + + base_tags = try(local.global_settings.inherit_tags, false) ? coalesce( + try(local.resource_groups[each.value.resource_group_key].tags, null), + try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][each.value.resource_group.key].tags, null), + ) : {} + + location = lookup(each.value, "region", null) == null ? coalesce( + try(local.resource_groups[each.value.resource_group_key].location, null), + try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][each.value.resource_group.key].location, null), + ) : local.global_settings.regions[each.value.region] + + resource_group_name = coalesce( + try(local.resource_groups[each.value.resource_group_key].name, null), + try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][each.value.resource_group.key].name, null), + ) + + virtual_wan_id = coalesce( + try(local.combined_objects_virtual_wans[try(each.value.virtual_wan.lz_key, local.client_config.landingzone_key)][each.value.virtual_wan.key].virtual_wan.id, null), + try(local.combined_objects_virtual_wans[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.virtual_wan_key].virtual_wan.id, null), + try(each.value.virtual_wan.resource_id, null), + try(each.value.virtual_wan.id, null), + try(each.value.virtual_wan_id, null) + ) +} From 27b07584a6730e210babe744b5b866342d9dd225 Mon Sep 17 00:00:00 2001 From: Carl Johnston Date: Tue, 8 Jun 2021 06:10:38 +0000 Subject: [PATCH 3/3] Added support for vpn_gateway_connections --- .../virtual_wan.tfvars | 165 ++++++++++++++++++ landingzones/caf_example/README.md | 1 + landingzones/caf_example/module.tf | 1 + landingzones/caf_example/variables.tf | 5 +- locals.combined_objects.tf | 1 + locals.tf | 1 + .../networking/vpn_gateway_connection/main.tf | 7 + .../vpn_gateway_connection/module.tf | 71 ++++++++ .../vpn_gateway_connection/output.tf | 4 + .../vpn_gateway_connection/variables.tf | 8 + networking_vpn_gateway_connection.tf | 27 +++ 11 files changed, 290 insertions(+), 1 deletion(-) create mode 100644 examples/networking/virtual_wan/109-vwan-vpn-gateway-connection/virtual_wan.tfvars create mode 100644 modules/networking/vpn_gateway_connection/main.tf create mode 100644 modules/networking/vpn_gateway_connection/module.tf create mode 100755 modules/networking/vpn_gateway_connection/output.tf create mode 100755 modules/networking/vpn_gateway_connection/variables.tf create mode 100644 networking_vpn_gateway_connection.tf diff --git a/examples/networking/virtual_wan/109-vwan-vpn-gateway-connection/virtual_wan.tfvars b/examples/networking/virtual_wan/109-vwan-vpn-gateway-connection/virtual_wan.tfvars new file mode 100644 index 0000000000..288a4e3553 --- /dev/null +++ b/examples/networking/virtual_wan/109-vwan-vpn-gateway-connection/virtual_wan.tfvars @@ -0,0 +1,165 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "southeastasia" + } +} + +resource_groups = { + hub_re1 = { + name = "vnet-hub-re1" + region = "region1" + } +} + +virtual_wans = { + vwan_re1 = { + resource_group_key = "hub_re1" + name = "contosovWAN-re1" + region = "region1" + + hubs = { + hub_re1 = { + hub_name = "hub-re1" + region = "region1" + hub_address_prefix = "10.0.3.0/24" + deploy_firewall = false + deploy_p2s = false + p2s_config = {} + deploy_s2s = true + s2s_config = { + name = "caf-sea-vpn-s2s" + scale_unit = 1 + } + deploy_er = false + } + } + } +} + +virtual_hub_route_tables = { + routetable1 = { + name = "example-vhubroutetable1" + + virtual_wan_key = "vwan_re1" + virtual_hub_key = "hub_re1" + + labels = ["label1"] + } + routetable2 = { + name = "example-vhubroutetable2" + + virtual_wan_key = "vwan_re1" + virtual_hub_key = "hub_re1" + + labels = ["label2"] + } +} + +vpn_sites = { + vpn-site-1 = { + name = "vpn-site-1" + address_cidrs = ["1.2.3.0/24", "4.5.6.0/24"] + device_vendor = "Cisco" + device_model = "800" + + resource_group = { + key = "hub_re1" + } + + virtual_wan = { + key = "vwan_re1" + } + + links = { + primary = { + name = "primary" + ip_address = "1.2.3.4" + provider_name = "Microsoft" + speed_in_mbps = "150" + } + secondary = { + name = "secondary" + fqdn = "secondary.link.com" + provider_name = "Microsoft" + speed_in_mbps = "50" + bgp = { + asn = "65534" + peering_address = "169.254.1.2" + } + } + } + } +} + +vpn_gateway_connections = { + connection-1 = { + name = "connection-1" + internet_security_enabled = false + + # vpn_site_id = "" # Set the Resource ID of an existing VPN Site + vpn_site = { + # lz_key = "vpns" # Set the 'lz_key' of a VPN Site created in a remote deployment + key = "vpn-site-1" # Set the 'key' of the VPN Site created in this (or a remote) deployment + } + + # virtual_hub_gateway_id = "" # Set the Resource ID of an existing Virtual Hub's VPN Gateway + virtual_hub = { + # lz_key = "" # Set the 'lz_key' of a Virtual Hub created in a remote deployment + key = "hub_re1" # Set the 'key' of the Virtual Hub created in this (or a remote) deployment + } + + vpn_links = { + link-1 = { + link_index = 0 # Index order of VPN Site's Link + name = "link-1" + bandwidth_mbps = "100" # Optional + bgp_enabled = true # Optional + protocol = "IKEv2" # Optional + ratelimit_enabled = true # Optional + route_weight = "100" # Optional + shared_key = "abc123456" # Optional + local_azure_ip_address_enabled = false # Optional + policy_based_traffic_selectors_enabled = false # Optional + + ipsec_policies = { # Optional + policy1 = { + dh_group = "DHGroup14" + ike_encryption_algorithm = "AES256" + ike_integrity_algorithm = "SHA256" + encryption_algorithm = "AES256" + integrity_algorithm = "SHA256" + pfs_group = "PFS14" + sa_data_size_kb = "102400000" + sa_lifetime_sec = "27000" + } + } + } + # link-2 = { + # link_index = 1 + # name = "link-2" + # } + } + + routing = { # Optional + associated_route_table = { + # id = "" # Set the Resource ID of an existing Virtual WAN Route Table + # lz_key = "" # Set the 'lz_key' of a Route Table created in a remote deployment + key = "routetable1" # Set the 'key' of the Route Table created in this (or a remote) deployment + } + + propagated_route_tables = { + routetable1 = { + # id = "" # Set the Resource ID of an existing Virtual WAN Route Table + # lz_key = "" # Set the 'lz_key' of a Route Table created in a remote deployment + key = "routetable1" # Set the 'key' of the Route Table created in this (or a remote) deployment + } + routetable2 = { + # id = "" # Set the Resource ID of an existing Virtual WAN Route Table + # lz_key = "" # Set the 'lz_key' of a Route Table created in a remote deployment + key = "routetable2" # Set the 'key' of the Route Table created in this (or a remote) deployment + } + } + } + } +} diff --git a/landingzones/caf_example/README.md b/landingzones/caf_example/README.md index 65d7de1c98..ec3976fd1c 100755 --- a/landingzones/caf_example/README.md +++ b/landingzones/caf_example/README.md @@ -229,6 +229,7 @@ No resources. | virtual\_wans | n/a | `map` | `{}` | no | | vnet\_peerings | n/a | `map` | `{}` | no | | vnets | n/a | `map` | `{}` | no | +| vpn_gateway_connections | n/a | `map` | `{}` | no | | vpn_sites | n/a | `map` | `{}` | no | ## Outputs diff --git a/landingzones/caf_example/module.tf b/landingzones/caf_example/module.tf index 0d9d70170e..8003907320 100644 --- a/landingzones/caf_example/module.tf +++ b/landingzones/caf_example/module.tf @@ -118,6 +118,7 @@ module "example" { vnet_peerings = var.vnet_peerings vnets = var.vnets vpn_sites = var.vpn_sites + vpn_gateway_connections = var.vpn_gateway_connections } diagnostics = { diff --git a/landingzones/caf_example/variables.tf b/landingzones/caf_example/variables.tf index c91c727289..53fddf5880 100755 --- a/landingzones/caf_example/variables.tf +++ b/landingzones/caf_example/variables.tf @@ -510,4 +510,7 @@ variable "lighthouse_definitions" { } variable "vpn_sites" { default = {} -} \ No newline at end of file +} +variable "vpn_gateway_connections" { + default = {} +} diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 8c0266ae56..1b7a496f92 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -54,6 +54,7 @@ locals { combined_objects_virtual_hub_route_tables = merge(tomap({ (local.client_config.landingzone_key) = azurerm_virtual_hub_route_table.route_table }), try(var.remote_objects.virtual_hub_route_tables, {})) combined_objects_virtual_hubs = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_hubs }), try(var.remote_objects.virtual_hubs, {})) combined_objects_virtual_wans = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_wans }), try(var.remote_objects.virtual_wans, {})) + combined_objects_vpn_gateway_connections = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_gateway_connections }), try(var.remote_objects.vpn_gateway_connections, {})) combined_objects_vpn_sites = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_sites }), try(var.remote_objects.vpn_sites, {})) combined_objects_wvd_application_groups = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_application_groups }), try(var.remote_objects.wvd_application_groups, {})) combined_objects_wvd_host_pools = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_host_pools }), try(var.remote_objects.wvd_host_pools, {})) diff --git a/locals.tf b/locals.tf index 6835b8b223..520ff4278b 100755 --- a/locals.tf +++ b/locals.tf @@ -202,6 +202,7 @@ locals { virtual_wans = try(var.networking.virtual_wans, {}) vnet_peerings = try(var.networking.vnet_peerings, {}) vnets = try(var.networking.vnets, {}) + vpn_gateway_connections = try(var.networking.vpn_gateway_connections, {}) vpn_sites = try(var.networking.vpn_sites, {}) } diff --git a/modules/networking/vpn_gateway_connection/main.tf b/modules/networking/vpn_gateway_connection/main.tf new file mode 100644 index 0000000000..1fbfa06797 --- /dev/null +++ b/modules/networking/vpn_gateway_connection/main.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } +} diff --git a/modules/networking/vpn_gateway_connection/module.tf b/modules/networking/vpn_gateway_connection/module.tf new file mode 100644 index 0000000000..b790f74af4 --- /dev/null +++ b/modules/networking/vpn_gateway_connection/module.tf @@ -0,0 +1,71 @@ +resource "azurecaf_name" "vpn_gateway_connection" { + name = var.settings.name + resource_type = "azurerm_virtual_network_gateway" # TODO "azurerm_vpn_gateway_connection" + prefixes = var.global_settings.prefixes + random_length = var.global_settings.random_length + clean_input = true + passthrough = var.global_settings.passthrough + use_slug = var.global_settings.use_slug +} + +resource "azurerm_vpn_gateway_connection" "vpn_gateway_connection" { + name = azurecaf_name.vpn_gateway_connection.result + vpn_gateway_id = var.vpn_gateway_id + internet_security_enabled = var.settings.internet_security_enabled + + remote_vpn_site_id = coalesce( + try(var.vpn_sites[try(var.settings.vpn_site.lz_key, var.client_config.landingzone_key)][var.settings.vpn_site.key].vpn_site.id, null), + try(var.settings.vpn_site_id, null) + ) + + dynamic "vpn_link" { + for_each = var.settings.vpn_links + content { + name = vpn_link.value.name + bandwidth_mbps = try(vpn_link.value.bandwidth_mbps, null) + bgp_enabled = try(vpn_link.value.bgp_enabled, null) + protocol = try(vpn_link.value.protocol, null) + ratelimit_enabled = try(vpn_link.value.ratelimit_enabled, null) + route_weight = try(vpn_link.value.route_weight, null) + shared_key = try(vpn_link.value.shared_key, null) + local_azure_ip_address_enabled = try(vpn_link.value.local_azure_ip_address_enabled, null) + policy_based_traffic_selector_enabled = try(vpn_link.value.policy_based_traffic_selector_enabled, null) + + vpn_site_link_id = coalesce( + try(var.vpn_sites[try(var.settings.vpn_site.lz_key, var.client_config.landingzone_key)][var.settings.vpn_site.key].vpn_site.link[vpn_link.value.link_index].id, null), + try(vpn_link.value.vpn_link_id, null) + ) + + dynamic "ipsec_policy" { + for_each = vpn_link.value.ipsec_policies + content { + dh_group = ipsec_policy.value.dh_group + ike_encryption_algorithm = ipsec_policy.value.ike_encryption_algorithm + ike_integrity_algorithm = ipsec_policy.value.ike_integrity_algorithm + encryption_algorithm = ipsec_policy.value.encryption_algorithm + integrity_algorithm = ipsec_policy.value.integrity_algorithm + pfs_group = ipsec_policy.value.pfs_group + sa_data_size_kb = ipsec_policy.value.sa_data_size_kb + sa_lifetime_sec = ipsec_policy.value.sa_lifetime_sec + } + } + } + } + + dynamic "routing" { + for_each = lookup(var.settings, "routing", null) == null ? [] : [1] + content { + associated_route_table = coalesce( + try(var.route_tables[try(var.settings.routing.associated_route_table.lz_key, var.client_config.landingzone_key)][var.settings.routing.associated_route_table.key].id, null), + try(var.settings.routing.associated_route_table.id, null) + ) + + propagated_route_tables = [ + for key, value in var.settings.routing.propagated_route_tables : coalesce( + try(var.route_tables[try(value.lz_key, var.client_config.landingzone_key)][value.key].id, null), + try(value.id, null) + ) + ] + } + } +} diff --git a/modules/networking/vpn_gateway_connection/output.tf b/modules/networking/vpn_gateway_connection/output.tf new file mode 100755 index 0000000000..a136b5ef4b --- /dev/null +++ b/modules/networking/vpn_gateway_connection/output.tf @@ -0,0 +1,4 @@ +output "vpn_gateway_connection" { + value = azurerm_vpn_gateway_connection.vpn_gateway_connection + description = "VPN Gateway Connection object" +} diff --git a/modules/networking/vpn_gateway_connection/variables.tf b/modules/networking/vpn_gateway_connection/variables.tf new file mode 100755 index 0000000000..abb3037c16 --- /dev/null +++ b/modules/networking/vpn_gateway_connection/variables.tf @@ -0,0 +1,8 @@ +variable "settings" {} +variable "global_settings" { + description = "Global settings object (see module README.md)" +} +variable "vpn_gateway_id" {} +variable "vpn_sites" {} +variable "client_config" {} +variable "route_tables" {} diff --git a/networking_vpn_gateway_connection.tf b/networking_vpn_gateway_connection.tf new file mode 100644 index 0000000000..fe5bdd4ae3 --- /dev/null +++ b/networking_vpn_gateway_connection.tf @@ -0,0 +1,27 @@ + +# +# +# VPN Gateway Connection +# +# + +output "vpn_gateway_connections" { + value = module.vpn_gateway_connections +} + +module "vpn_gateway_connections" { + depends_on = [module.virtual_wans, module.vpn_sites] + source = "./modules/networking/vpn_gateway_connection" + for_each = local.networking.vpn_gateway_connections + + settings = each.value + global_settings = local.global_settings + client_config = local.client_config + vpn_sites = local.combined_objects_vpn_sites + route_tables = local.combined_objects_virtual_hub_route_tables + + vpn_gateway_id = coalesce( + try(local.combined_objects_virtual_hubs[try(each.value.virtual_hub.lz_key, local.client_config.landingzone_key)][each.value.virtual_hub.key].s2s_gateway.id, null), + try(each.value.virtual_hub_gateway_id, null) + ) +}