From 28869b5c7bb7d8f6e0891927f9c0b703e24c0ae1 Mon Sep 17 00:00:00 2001
From: Lars Wander <lars.wander@gmail.com>
Date: Fri, 4 Sep 2015 16:54:18 -0400
Subject: [PATCH] Documentation and tests written for GCE VPN config

---
 examples/vpn/README.md    |  17 ++++
 examples/vpn/variables.tf |  11 +++
 examples/vpn/vpn.tf       | 172 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 200 insertions(+)
 create mode 100644 examples/vpn/README.md
 create mode 100644 examples/vpn/variables.tf
 create mode 100644 examples/vpn/vpn.tf

diff --git a/examples/vpn/README.md b/examples/vpn/README.md
new file mode 100644
index 00000000..db7c6beb
--- /dev/null
+++ b/examples/vpn/README.md
@@ -0,0 +1,17 @@
+# Google Compute Engine VPN Example
+
+This example joins two GCE networks via VPN. The firewall rules have been set up
+so that you can create an instance in each network and have them communicate
+using their internal IP addresses. 
+
+See this [example](https://cloud.google.com/compute/docs/vpn) for more 
+information.
+
+Run this example using 
+
+```
+terraform apply \
+	-var="region1=us-central1" \
+	-var="region2=europe-west1" \
+	-var="project=my-project-id-123" 
+```
diff --git a/examples/vpn/variables.tf b/examples/vpn/variables.tf
new file mode 100644
index 00000000..20ada06b
--- /dev/null
+++ b/examples/vpn/variables.tf
@@ -0,0 +1,11 @@
+variable "project" {
+    description = "Your project name"
+}
+
+variable "region1" {
+    description = "The desired region for the first network & VPN and project"
+}
+
+variable "region2" {
+    description = "The desired region for the second network & VPN"
+}
diff --git a/examples/vpn/vpn.tf b/examples/vpn/vpn.tf
new file mode 100644
index 00000000..2693c100
--- /dev/null
+++ b/examples/vpn/vpn.tf
@@ -0,0 +1,172 @@
+# An example of how to connect two GCE networks with a VPN
+provider "google" {
+    account_file = "${file("~/gce/account.json")}"
+    project = "${var.project}"
+    region = "${var.region1}"
+}
+
+# Create the two networks we want to join. They must have seperate, internal
+# ranges.
+resource "google_compute_network" "network1" {
+    name = "network1"
+    ipv4_range = "10.120.0.0/16"
+}
+
+resource "google_compute_network" "network2" {
+    name = "network2"
+    ipv4_range = "10.121.0.0/16"
+}
+
+# Attach a VPN gateway to each network.
+resource "google_compute_vpn_gateway" "target_gateway1" {
+    name = "vpn1"
+    network = "${google_compute_network.network1.self_link}"
+    region = "${var.region1}"
+}
+
+resource "google_compute_vpn_gateway" "target_gateway2" {
+    name = "vpn2"
+    network = "${google_compute_network.network2.self_link}"
+    region = "${var.region2}"
+}
+
+# Create an outward facing static IP for each VPN that will be used by the
+# other VPN to connect.
+resource "google_compute_address" "vpn_static_ip1" {
+    name = "vpn-static-ip1"
+    region = "${var.region1}"
+}
+
+resource "google_compute_address" "vpn_static_ip2" {
+    name = "vpn-static-ip2"
+    region = "${var.region2}"
+}
+
+# Forward IPSec traffic coming into our static IP to our VPN gateway.
+resource "google_compute_forwarding_rule" "fr1_esp" {
+    name = "fr1-esp"
+    region = "${var.region1}"
+    ip_protocol = "ESP"
+    ip_address = "${google_compute_address.vpn_static_ip1.address}"
+    target = "${google_compute_vpn_gateway.target_gateway1.self_link}"
+}
+
+resource "google_compute_forwarding_rule" "fr2_esp" {
+    name = "fr2-esp"
+    region = "${var.region2}"
+    ip_protocol = "ESP"
+    ip_address = "${google_compute_address.vpn_static_ip2.address}"
+    target = "${google_compute_vpn_gateway.target_gateway2.self_link}"
+}
+
+# The following two sets of forwarding rules are used as a part of the IPSec
+# protocol
+resource "google_compute_forwarding_rule" "fr1_udp500" {
+    name = "fr1-udp500"
+    region = "${var.region1}"
+    ip_protocol = "UDP"
+    port_range = "500"
+    ip_address = "${google_compute_address.vpn_static_ip1.address}"
+    target = "${google_compute_vpn_gateway.target_gateway1.self_link}"
+}
+
+resource "google_compute_forwarding_rule" "fr2_udp500" {
+    name = "fr2-udp500"
+    region = "${var.region2}"
+    ip_protocol = "UDP"
+    port_range = "500"
+    ip_address = "${google_compute_address.vpn_static_ip2.address}"
+    target = "${google_compute_vpn_gateway.target_gateway2.self_link}"
+}
+
+resource "google_compute_forwarding_rule" "fr1_udp4500" {
+    name = "fr1-udp4500"
+    region = "${var.region1}"
+    ip_protocol = "UDP"
+    port_range = "4500"
+    ip_address = "${google_compute_address.vpn_static_ip1.address}"
+    target = "${google_compute_vpn_gateway.target_gateway1.self_link}"
+}
+
+resource "google_compute_forwarding_rule" "fr2_udp4500" {
+    name = "fr2-udp4500"
+    region = "${var.region2}"
+    ip_protocol = "UDP"
+    port_range = "4500"
+    ip_address = "${google_compute_address.vpn_static_ip2.address}"
+    target = "${google_compute_vpn_gateway.target_gateway2.self_link}"
+}
+
+# Each tunnel is responsible for encrypting and decrypting traffic exiting
+# and leaving it's associated gateway
+resource "google_compute_vpn_tunnel" "tunnel1" {
+    name = "tunnel1"
+    region = "${var.region1}"
+    peer_ip = "${google_compute_address.vpn_static_ip2.address}"
+    shared_secret = "a secret message"
+    target_vpn_gateway = "${google_compute_vpn_gateway.target_gateway1.self_link}"
+    depends_on = ["google_compute_forwarding_rule.fr1_udp500",
+        "google_compute_forwarding_rule.fr1_udp4500",
+        "google_compute_forwarding_rule.fr1_esp"]
+}
+
+resource "google_compute_vpn_tunnel" "tunnel2" {
+    name = "tunnel2"
+    region = "${var.region2}"
+    peer_ip = "${google_compute_address.vpn_static_ip1.address}"
+    shared_secret = "a secret message"
+    target_vpn_gateway = "${google_compute_vpn_gateway.target_gateway2.self_link}"
+    depends_on = ["google_compute_forwarding_rule.fr2_udp500",
+        "google_compute_forwarding_rule.fr2_udp4500",
+        "google_compute_forwarding_rule.fr2_esp"]
+}
+
+# Each route tells the associated network to send all traffic in the dest_range
+# through the VPN tunnel
+resource "google_compute_route" "route1" {
+    name = "route1"
+    network = "${google_compute_network.network1.name}"
+    next_hop_vpn_tunnel = "${google_compute_vpn_tunnel.tunnel1.self_link}"
+    dest_range = "${google_compute_network.network2.ipv4_range}"
+    priority = 1000
+}
+
+resource "google_compute_route" "route2" {
+    name = "route2"
+    network = "${google_compute_network.network2.name}"
+    next_hop_vpn_tunnel = "${google_compute_vpn_tunnel.tunnel2.self_link}"
+    dest_range = "${google_compute_network.network1.ipv4_range}"
+    priority = 1000
+}
+
+# We want to allow the two networks to communicate, so we need to unblock
+# them in the firewall
+resource "google_compute_firewall" "network1-allow-network1" {
+    name = "network1-allow-network1"
+    network = "${google_compute_network.network1.name}"
+    source_ranges = ["${google_compute_network.network1.ipv4_range}"]
+    allow {
+        protocol = "tcp"
+    }
+    allow {
+        protocol = "udp"
+    }
+    allow {
+        protocol = "icmp"
+    }
+}
+
+resource "google_compute_firewall" "network1-allow-network2" {
+    name = "network1-allow-network2"
+    network = "${google_compute_network.network1.name}"
+    source_ranges = ["${google_compute_network.network2.ipv4_range}"]
+    allow {
+        protocol = "tcp"
+    }
+    allow {
+        protocol = "udp"
+    }
+    allow {
+        protocol = "icmp"
+    }
+}