github.com/candidpartners/terraform@v0.9.5-0.20171005231213-29f5f88820f6/examples/gce-vpn/vpn.tf (about) 1 # An example of how to connect two GCE networks with a VPN 2 provider "google" { 3 account_file = "${file("~/gce/account.json")}" 4 project = "${var.project}" 5 region = "${var.region1}" 6 } 7 8 # Create the two networks we want to join. They must have separate, internal 9 # ranges. 10 resource "google_compute_network" "network1" { 11 name = "network1" 12 ipv4_range = "10.120.0.0/16" 13 } 14 15 resource "google_compute_network" "network2" { 16 name = "network2" 17 ipv4_range = "10.121.0.0/16" 18 } 19 20 # Attach a VPN gateway to each network. 21 resource "google_compute_vpn_gateway" "target_gateway1" { 22 name = "vpn1" 23 network = "${google_compute_network.network1.self_link}" 24 region = "${var.region1}" 25 } 26 27 resource "google_compute_vpn_gateway" "target_gateway2" { 28 name = "vpn2" 29 network = "${google_compute_network.network2.self_link}" 30 region = "${var.region2}" 31 } 32 33 # Create an outward facing static IP for each VPN that will be used by the 34 # other VPN to connect. 35 resource "google_compute_address" "vpn_static_ip1" { 36 name = "vpn-static-ip1" 37 region = "${var.region1}" 38 } 39 40 resource "google_compute_address" "vpn_static_ip2" { 41 name = "vpn-static-ip2" 42 region = "${var.region2}" 43 } 44 45 # Forward IPSec traffic coming into our static IP to our VPN gateway. 46 resource "google_compute_forwarding_rule" "fr1_esp" { 47 name = "fr1-esp" 48 region = "${var.region1}" 49 ip_protocol = "ESP" 50 ip_address = "${google_compute_address.vpn_static_ip1.address}" 51 target = "${google_compute_vpn_gateway.target_gateway1.self_link}" 52 } 53 54 resource "google_compute_forwarding_rule" "fr2_esp" { 55 name = "fr2-esp" 56 region = "${var.region2}" 57 ip_protocol = "ESP" 58 ip_address = "${google_compute_address.vpn_static_ip2.address}" 59 target = "${google_compute_vpn_gateway.target_gateway2.self_link}" 60 } 61 62 # The following two sets of forwarding rules are used as a part of the IPSec 63 # protocol 64 resource "google_compute_forwarding_rule" "fr1_udp500" { 65 name = "fr1-udp500" 66 region = "${var.region1}" 67 ip_protocol = "UDP" 68 port_range = "500" 69 ip_address = "${google_compute_address.vpn_static_ip1.address}" 70 target = "${google_compute_vpn_gateway.target_gateway1.self_link}" 71 } 72 73 resource "google_compute_forwarding_rule" "fr2_udp500" { 74 name = "fr2-udp500" 75 region = "${var.region2}" 76 ip_protocol = "UDP" 77 port_range = "500" 78 ip_address = "${google_compute_address.vpn_static_ip2.address}" 79 target = "${google_compute_vpn_gateway.target_gateway2.self_link}" 80 } 81 82 resource "google_compute_forwarding_rule" "fr1_udp4500" { 83 name = "fr1-udp4500" 84 region = "${var.region1}" 85 ip_protocol = "UDP" 86 port_range = "4500" 87 ip_address = "${google_compute_address.vpn_static_ip1.address}" 88 target = "${google_compute_vpn_gateway.target_gateway1.self_link}" 89 } 90 91 resource "google_compute_forwarding_rule" "fr2_udp4500" { 92 name = "fr2-udp4500" 93 region = "${var.region2}" 94 ip_protocol = "UDP" 95 port_range = "4500" 96 ip_address = "${google_compute_address.vpn_static_ip2.address}" 97 target = "${google_compute_vpn_gateway.target_gateway2.self_link}" 98 } 99 100 # Each tunnel is responsible for encrypting and decrypting traffic exiting 101 # and leaving its associated gateway 102 resource "google_compute_vpn_tunnel" "tunnel1" { 103 name = "tunnel1" 104 region = "${var.region1}" 105 peer_ip = "${google_compute_address.vpn_static_ip2.address}" 106 shared_secret = "a secret message" 107 target_vpn_gateway = "${google_compute_vpn_gateway.target_gateway1.self_link}" 108 109 depends_on = ["google_compute_forwarding_rule.fr1_udp500", 110 "google_compute_forwarding_rule.fr1_udp4500", 111 "google_compute_forwarding_rule.fr1_esp", 112 ] 113 } 114 115 resource "google_compute_vpn_tunnel" "tunnel2" { 116 name = "tunnel2" 117 region = "${var.region2}" 118 peer_ip = "${google_compute_address.vpn_static_ip1.address}" 119 shared_secret = "a secret message" 120 target_vpn_gateway = "${google_compute_vpn_gateway.target_gateway2.self_link}" 121 122 depends_on = ["google_compute_forwarding_rule.fr2_udp500", 123 "google_compute_forwarding_rule.fr2_udp4500", 124 "google_compute_forwarding_rule.fr2_esp", 125 ] 126 } 127 128 # Each route tells the associated network to send all traffic in the dest_range 129 # through the VPN tunnel 130 resource "google_compute_route" "route1" { 131 name = "route1" 132 network = "${google_compute_network.network1.name}" 133 next_hop_vpn_tunnel = "${google_compute_vpn_tunnel.tunnel1.self_link}" 134 dest_range = "${google_compute_network.network2.ipv4_range}" 135 priority = 1000 136 } 137 138 resource "google_compute_route" "route2" { 139 name = "route2" 140 network = "${google_compute_network.network2.name}" 141 next_hop_vpn_tunnel = "${google_compute_vpn_tunnel.tunnel2.self_link}" 142 dest_range = "${google_compute_network.network1.ipv4_range}" 143 priority = 1000 144 } 145 146 # We want to allow the two networks to communicate, so we need to unblock 147 # them in the firewall 148 resource "google_compute_firewall" "network1-allow-network1" { 149 name = "network1-allow-network1" 150 network = "${google_compute_network.network1.name}" 151 source_ranges = ["${google_compute_network.network1.ipv4_range}"] 152 153 allow { 154 protocol = "tcp" 155 } 156 157 allow { 158 protocol = "udp" 159 } 160 161 allow { 162 protocol = "icmp" 163 } 164 } 165 166 resource "google_compute_firewall" "network1-allow-network2" { 167 name = "network1-allow-network2" 168 network = "${google_compute_network.network1.name}" 169 source_ranges = ["${google_compute_network.network2.ipv4_range}"] 170 171 allow { 172 protocol = "tcp" 173 } 174 175 allow { 176 protocol = "udp" 177 } 178 179 allow { 180 protocol = "icmp" 181 } 182 }