mirror of
https://github.com/letic/terraform-provider-google.git
synced 2024-07-01 07:42:40 +00:00
Documentation and tests written for GCE VPN config
This commit is contained in:
parent
52d07142b0
commit
28869b5c7b
17
examples/vpn/README.md
Normal file
17
examples/vpn/README.md
Normal file
|
@ -0,0 +1,17 @@
|
|||
# Google Compute Engine VPN Example
|
||||
|
||||
This example joins two GCE networks via VPN. The firewall rules have been set up
|
||||
so that you can create an instance in each network and have them communicate
|
||||
using their internal IP addresses.
|
||||
|
||||
See this [example](https://cloud.google.com/compute/docs/vpn) for more
|
||||
information.
|
||||
|
||||
Run this example using
|
||||
|
||||
```
|
||||
terraform apply \
|
||||
-var="region1=us-central1" \
|
||||
-var="region2=europe-west1" \
|
||||
-var="project=my-project-id-123"
|
||||
```
|
11
examples/vpn/variables.tf
Normal file
11
examples/vpn/variables.tf
Normal file
|
@ -0,0 +1,11 @@
|
|||
variable "project" {
|
||||
description = "Your project name"
|
||||
}
|
||||
|
||||
variable "region1" {
|
||||
description = "The desired region for the first network & VPN and project"
|
||||
}
|
||||
|
||||
variable "region2" {
|
||||
description = "The desired region for the second network & VPN"
|
||||
}
|
172
examples/vpn/vpn.tf
Normal file
172
examples/vpn/vpn.tf
Normal file
|
@ -0,0 +1,172 @@
|
|||
# An example of how to connect two GCE networks with a VPN
|
||||
provider "google" {
|
||||
account_file = "${file("~/gce/account.json")}"
|
||||
project = "${var.project}"
|
||||
region = "${var.region1}"
|
||||
}
|
||||
|
||||
# Create the two networks we want to join. They must have seperate, internal
|
||||
# ranges.
|
||||
resource "google_compute_network" "network1" {
|
||||
name = "network1"
|
||||
ipv4_range = "10.120.0.0/16"
|
||||
}
|
||||
|
||||
resource "google_compute_network" "network2" {
|
||||
name = "network2"
|
||||
ipv4_range = "10.121.0.0/16"
|
||||
}
|
||||
|
||||
# Attach a VPN gateway to each network.
|
||||
resource "google_compute_vpn_gateway" "target_gateway1" {
|
||||
name = "vpn1"
|
||||
network = "${google_compute_network.network1.self_link}"
|
||||
region = "${var.region1}"
|
||||
}
|
||||
|
||||
resource "google_compute_vpn_gateway" "target_gateway2" {
|
||||
name = "vpn2"
|
||||
network = "${google_compute_network.network2.self_link}"
|
||||
region = "${var.region2}"
|
||||
}
|
||||
|
||||
# Create an outward facing static IP for each VPN that will be used by the
|
||||
# other VPN to connect.
|
||||
resource "google_compute_address" "vpn_static_ip1" {
|
||||
name = "vpn-static-ip1"
|
||||
region = "${var.region1}"
|
||||
}
|
||||
|
||||
resource "google_compute_address" "vpn_static_ip2" {
|
||||
name = "vpn-static-ip2"
|
||||
region = "${var.region2}"
|
||||
}
|
||||
|
||||
# Forward IPSec traffic coming into our static IP to our VPN gateway.
|
||||
resource "google_compute_forwarding_rule" "fr1_esp" {
|
||||
name = "fr1-esp"
|
||||
region = "${var.region1}"
|
||||
ip_protocol = "ESP"
|
||||
ip_address = "${google_compute_address.vpn_static_ip1.address}"
|
||||
target = "${google_compute_vpn_gateway.target_gateway1.self_link}"
|
||||
}
|
||||
|
||||
resource "google_compute_forwarding_rule" "fr2_esp" {
|
||||
name = "fr2-esp"
|
||||
region = "${var.region2}"
|
||||
ip_protocol = "ESP"
|
||||
ip_address = "${google_compute_address.vpn_static_ip2.address}"
|
||||
target = "${google_compute_vpn_gateway.target_gateway2.self_link}"
|
||||
}
|
||||
|
||||
# The following two sets of forwarding rules are used as a part of the IPSec
|
||||
# protocol
|
||||
resource "google_compute_forwarding_rule" "fr1_udp500" {
|
||||
name = "fr1-udp500"
|
||||
region = "${var.region1}"
|
||||
ip_protocol = "UDP"
|
||||
port_range = "500"
|
||||
ip_address = "${google_compute_address.vpn_static_ip1.address}"
|
||||
target = "${google_compute_vpn_gateway.target_gateway1.self_link}"
|
||||
}
|
||||
|
||||
resource "google_compute_forwarding_rule" "fr2_udp500" {
|
||||
name = "fr2-udp500"
|
||||
region = "${var.region2}"
|
||||
ip_protocol = "UDP"
|
||||
port_range = "500"
|
||||
ip_address = "${google_compute_address.vpn_static_ip2.address}"
|
||||
target = "${google_compute_vpn_gateway.target_gateway2.self_link}"
|
||||
}
|
||||
|
||||
resource "google_compute_forwarding_rule" "fr1_udp4500" {
|
||||
name = "fr1-udp4500"
|
||||
region = "${var.region1}"
|
||||
ip_protocol = "UDP"
|
||||
port_range = "4500"
|
||||
ip_address = "${google_compute_address.vpn_static_ip1.address}"
|
||||
target = "${google_compute_vpn_gateway.target_gateway1.self_link}"
|
||||
}
|
||||
|
||||
resource "google_compute_forwarding_rule" "fr2_udp4500" {
|
||||
name = "fr2-udp4500"
|
||||
region = "${var.region2}"
|
||||
ip_protocol = "UDP"
|
||||
port_range = "4500"
|
||||
ip_address = "${google_compute_address.vpn_static_ip2.address}"
|
||||
target = "${google_compute_vpn_gateway.target_gateway2.self_link}"
|
||||
}
|
||||
|
||||
# Each tunnel is responsible for encrypting and decrypting traffic exiting
|
||||
# and leaving it's associated gateway
|
||||
resource "google_compute_vpn_tunnel" "tunnel1" {
|
||||
name = "tunnel1"
|
||||
region = "${var.region1}"
|
||||
peer_ip = "${google_compute_address.vpn_static_ip2.address}"
|
||||
shared_secret = "a secret message"
|
||||
target_vpn_gateway = "${google_compute_vpn_gateway.target_gateway1.self_link}"
|
||||
depends_on = ["google_compute_forwarding_rule.fr1_udp500",
|
||||
"google_compute_forwarding_rule.fr1_udp4500",
|
||||
"google_compute_forwarding_rule.fr1_esp"]
|
||||
}
|
||||
|
||||
resource "google_compute_vpn_tunnel" "tunnel2" {
|
||||
name = "tunnel2"
|
||||
region = "${var.region2}"
|
||||
peer_ip = "${google_compute_address.vpn_static_ip1.address}"
|
||||
shared_secret = "a secret message"
|
||||
target_vpn_gateway = "${google_compute_vpn_gateway.target_gateway2.self_link}"
|
||||
depends_on = ["google_compute_forwarding_rule.fr2_udp500",
|
||||
"google_compute_forwarding_rule.fr2_udp4500",
|
||||
"google_compute_forwarding_rule.fr2_esp"]
|
||||
}
|
||||
|
||||
# Each route tells the associated network to send all traffic in the dest_range
|
||||
# through the VPN tunnel
|
||||
resource "google_compute_route" "route1" {
|
||||
name = "route1"
|
||||
network = "${google_compute_network.network1.name}"
|
||||
next_hop_vpn_tunnel = "${google_compute_vpn_tunnel.tunnel1.self_link}"
|
||||
dest_range = "${google_compute_network.network2.ipv4_range}"
|
||||
priority = 1000
|
||||
}
|
||||
|
||||
resource "google_compute_route" "route2" {
|
||||
name = "route2"
|
||||
network = "${google_compute_network.network2.name}"
|
||||
next_hop_vpn_tunnel = "${google_compute_vpn_tunnel.tunnel2.self_link}"
|
||||
dest_range = "${google_compute_network.network1.ipv4_range}"
|
||||
priority = 1000
|
||||
}
|
||||
|
||||
# We want to allow the two networks to communicate, so we need to unblock
|
||||
# them in the firewall
|
||||
resource "google_compute_firewall" "network1-allow-network1" {
|
||||
name = "network1-allow-network1"
|
||||
network = "${google_compute_network.network1.name}"
|
||||
source_ranges = ["${google_compute_network.network1.ipv4_range}"]
|
||||
allow {
|
||||
protocol = "tcp"
|
||||
}
|
||||
allow {
|
||||
protocol = "udp"
|
||||
}
|
||||
allow {
|
||||
protocol = "icmp"
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "network1-allow-network2" {
|
||||
name = "network1-allow-network2"
|
||||
network = "${google_compute_network.network1.name}"
|
||||
source_ranges = ["${google_compute_network.network2.ipv4_range}"]
|
||||
allow {
|
||||
protocol = "tcp"
|
||||
}
|
||||
allow {
|
||||
protocol = "udp"
|
||||
}
|
||||
allow {
|
||||
protocol = "icmp"
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user