-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathgcp.tf
129 lines (118 loc) · 4.15 KB
/
gcp.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
locals {
four_interface_ext_gwys = [for i in range(floor(var.num_tunnels / 4)) :
{ key : i, redundancy_type = "FOUR_IPS_REDUNDANCY" }
]
two_interface_ext_gwys = [for i in range(ceil(var.num_tunnels / 4) - length(local.four_interface_ext_gwys)) :
{
key : i + length(local.four_interface_ext_gwys),
redundancy_type = "TWO_IPS_REDUNDANCY"
} if var.num_tunnels % 4 != 0
]
num_ext_gwys = concat(local.four_interface_ext_gwys, local.two_interface_ext_gwys)
aws_vpn_conn_addresses = {
for k, v in chunklist([
for k, v in flatten([
for k, v in aws_vpn_connection.vpn_conn :
[v.tunnel1_address, v.tunnel2_address]
]) : v
], 4) :
k => v
}
tunnels = chunklist(flatten([
for i in range(length(local.num_ext_gwys)) : [
for k, v in setproduct(range(2), chunklist(range(4), 2)) :
{
ext_gwy : i,
peer_gwy_interface : k,
vpn_gwy_interface : v[0] % 2
}
]
]), var.num_tunnels)[0]
bgp_sessions = {
for k, v in flatten([
for k, v in aws_vpn_connection.vpn_conn :
[
{
ip_address : v.tunnel1_cgw_inside_address,
peer_ip_address : v.tunnel1_vgw_inside_address
},
{
ip_address : v.tunnel2_cgw_inside_address,
peer_ip_address : v.tunnel2_vgw_inside_address
}
]
]) : k => v
}
}
resource "google_compute_ha_vpn_gateway" "gwy" {
name = "${var.prefix}-ha-vpn-gwy"
network = var.gcp_network
region = var.vpn_gwy_region
}
resource "google_compute_external_vpn_gateway" "ext_gwy" {
for_each = { for k, v in local.num_ext_gwys : k => v }
name = "${var.prefix}-ext-vpn-gwy-${each.key}"
redundancy_type = each.value["redundancy_type"]
dynamic "interface" {
for_each = local.aws_vpn_conn_addresses[each.key]
content {
id = interface.key
ip_address = interface.value
}
}
}
resource "google_compute_router" "router" {
name = "vpn-router"
network = var.gcp_network
region = var.vpn_gwy_region
bgp {
asn = var.gcp_router_asn
advertise_mode = "CUSTOM"
advertised_groups = [
"ALL_SUBNETS"
]
}
}
resource "google_compute_vpn_tunnel" "tunnel" {
for_each = { for k, v in local.tunnels : k => v }
name = "${var.prefix}-tunnel-${each.key}"
shared_secret = var.shared_secret
peer_external_gateway = google_compute_external_vpn_gateway.ext_gwy[each.value["ext_gwy"]].name
peer_external_gateway_interface = each.value["peer_gwy_interface"]
region = var.vpn_gwy_region
router = google_compute_router.router.name
ike_version = "2"
vpn_gateway = google_compute_ha_vpn_gateway.gwy.id
vpn_gateway_interface = each.value["vpn_gwy_interface"]
}
resource "google_compute_router_interface" "interface" {
for_each = local.bgp_sessions
name = "${var.prefix}-interface-${each.key}"
router = google_compute_router.router.name
region = var.vpn_gwy_region
ip_range = "${each.value["ip_address"]}/30"
vpn_tunnel = google_compute_vpn_tunnel.tunnel[each.key].name
}
resource "google_compute_router_peer" "peer" {
for_each = local.bgp_sessions
name = "${var.prefix}-peer-${each.key}"
interface = "${var.prefix}-interface-${each.key}"
peer_asn = var.aws_router_asn
ip_address = each.value["ip_address"]
peer_ip_address = each.value["peer_ip_address"]
router = google_compute_router.router.name
region = var.vpn_gwy_region
}