github.com/candidpartners/terraform@v0.9.5-0.20171005231213-29f5f88820f6/examples/gce-vpn/vpn.tf (about)

     1  # An example of how to connect two GCE networks with a VPN
     2  provider "google" {
     3    account_file = "${file("~/gce/account.json")}"
     4    project      = "${var.project}"
     5    region       = "${var.region1}"
     6  }
     7  
     8  # Create the two networks we want to join. They must have separate, internal
     9  # ranges.
    10  resource "google_compute_network" "network1" {
    11    name       = "network1"
    12    ipv4_range = "10.120.0.0/16"
    13  }
    14  
    15  resource "google_compute_network" "network2" {
    16    name       = "network2"
    17    ipv4_range = "10.121.0.0/16"
    18  }
    19  
    20  # Attach a VPN gateway to each network.
    21  resource "google_compute_vpn_gateway" "target_gateway1" {
    22    name    = "vpn1"
    23    network = "${google_compute_network.network1.self_link}"
    24    region  = "${var.region1}"
    25  }
    26  
    27  resource "google_compute_vpn_gateway" "target_gateway2" {
    28    name    = "vpn2"
    29    network = "${google_compute_network.network2.self_link}"
    30    region  = "${var.region2}"
    31  }
    32  
    33  # Create an outward facing static IP for each VPN that will be used by the
    34  # other VPN to connect.
    35  resource "google_compute_address" "vpn_static_ip1" {
    36    name   = "vpn-static-ip1"
    37    region = "${var.region1}"
    38  }
    39  
    40  resource "google_compute_address" "vpn_static_ip2" {
    41    name   = "vpn-static-ip2"
    42    region = "${var.region2}"
    43  }
    44  
    45  # Forward IPSec traffic coming into our static IP to our VPN gateway.
    46  resource "google_compute_forwarding_rule" "fr1_esp" {
    47    name        = "fr1-esp"
    48    region      = "${var.region1}"
    49    ip_protocol = "ESP"
    50    ip_address  = "${google_compute_address.vpn_static_ip1.address}"
    51    target      = "${google_compute_vpn_gateway.target_gateway1.self_link}"
    52  }
    53  
    54  resource "google_compute_forwarding_rule" "fr2_esp" {
    55    name        = "fr2-esp"
    56    region      = "${var.region2}"
    57    ip_protocol = "ESP"
    58    ip_address  = "${google_compute_address.vpn_static_ip2.address}"
    59    target      = "${google_compute_vpn_gateway.target_gateway2.self_link}"
    60  }
    61  
    62  # The following two sets of forwarding rules are used as a part of the IPSec
    63  # protocol
    64  resource "google_compute_forwarding_rule" "fr1_udp500" {
    65    name        = "fr1-udp500"
    66    region      = "${var.region1}"
    67    ip_protocol = "UDP"
    68    port_range  = "500"
    69    ip_address  = "${google_compute_address.vpn_static_ip1.address}"
    70    target      = "${google_compute_vpn_gateway.target_gateway1.self_link}"
    71  }
    72  
    73  resource "google_compute_forwarding_rule" "fr2_udp500" {
    74    name        = "fr2-udp500"
    75    region      = "${var.region2}"
    76    ip_protocol = "UDP"
    77    port_range  = "500"
    78    ip_address  = "${google_compute_address.vpn_static_ip2.address}"
    79    target      = "${google_compute_vpn_gateway.target_gateway2.self_link}"
    80  }
    81  
    82  resource "google_compute_forwarding_rule" "fr1_udp4500" {
    83    name        = "fr1-udp4500"
    84    region      = "${var.region1}"
    85    ip_protocol = "UDP"
    86    port_range  = "4500"
    87    ip_address  = "${google_compute_address.vpn_static_ip1.address}"
    88    target      = "${google_compute_vpn_gateway.target_gateway1.self_link}"
    89  }
    90  
    91  resource "google_compute_forwarding_rule" "fr2_udp4500" {
    92    name        = "fr2-udp4500"
    93    region      = "${var.region2}"
    94    ip_protocol = "UDP"
    95    port_range  = "4500"
    96    ip_address  = "${google_compute_address.vpn_static_ip2.address}"
    97    target      = "${google_compute_vpn_gateway.target_gateway2.self_link}"
    98  }
    99  
   100  # Each tunnel is responsible for encrypting and decrypting traffic exiting
   101  # and leaving its associated gateway
   102  resource "google_compute_vpn_tunnel" "tunnel1" {
   103    name               = "tunnel1"
   104    region             = "${var.region1}"
   105    peer_ip            = "${google_compute_address.vpn_static_ip2.address}"
   106    shared_secret      = "a secret message"
   107    target_vpn_gateway = "${google_compute_vpn_gateway.target_gateway1.self_link}"
   108  
   109    depends_on = ["google_compute_forwarding_rule.fr1_udp500",
   110      "google_compute_forwarding_rule.fr1_udp4500",
   111      "google_compute_forwarding_rule.fr1_esp",
   112    ]
   113  }
   114  
   115  resource "google_compute_vpn_tunnel" "tunnel2" {
   116    name               = "tunnel2"
   117    region             = "${var.region2}"
   118    peer_ip            = "${google_compute_address.vpn_static_ip1.address}"
   119    shared_secret      = "a secret message"
   120    target_vpn_gateway = "${google_compute_vpn_gateway.target_gateway2.self_link}"
   121  
   122    depends_on = ["google_compute_forwarding_rule.fr2_udp500",
   123      "google_compute_forwarding_rule.fr2_udp4500",
   124      "google_compute_forwarding_rule.fr2_esp",
   125    ]
   126  }
   127  
   128  # Each route tells the associated network to send all traffic in the dest_range
   129  # through the VPN tunnel
   130  resource "google_compute_route" "route1" {
   131    name                = "route1"
   132    network             = "${google_compute_network.network1.name}"
   133    next_hop_vpn_tunnel = "${google_compute_vpn_tunnel.tunnel1.self_link}"
   134    dest_range          = "${google_compute_network.network2.ipv4_range}"
   135    priority            = 1000
   136  }
   137  
   138  resource "google_compute_route" "route2" {
   139    name                = "route2"
   140    network             = "${google_compute_network.network2.name}"
   141    next_hop_vpn_tunnel = "${google_compute_vpn_tunnel.tunnel2.self_link}"
   142    dest_range          = "${google_compute_network.network1.ipv4_range}"
   143    priority            = 1000
   144  }
   145  
   146  # We want to allow the two networks to communicate, so we need to unblock
   147  # them in the firewall
   148  resource "google_compute_firewall" "network1-allow-network1" {
   149    name          = "network1-allow-network1"
   150    network       = "${google_compute_network.network1.name}"
   151    source_ranges = ["${google_compute_network.network1.ipv4_range}"]
   152  
   153    allow {
   154      protocol = "tcp"
   155    }
   156  
   157    allow {
   158      protocol = "udp"
   159    }
   160  
   161    allow {
   162      protocol = "icmp"
   163    }
   164  }
   165  
   166  resource "google_compute_firewall" "network1-allow-network2" {
   167    name          = "network1-allow-network2"
   168    network       = "${google_compute_network.network1.name}"
   169    source_ranges = ["${google_compute_network.network2.ipv4_range}"]
   170  
   171    allow {
   172      protocol = "tcp"
   173    }
   174  
   175    allow {
   176      protocol = "udp"
   177    }
   178  
   179    allow {
   180      protocol = "icmp"
   181    }
   182  }