github.com/jrasell/terraform@v0.6.17-0.20160523115548-2652f5232949/examples/gce-vpn/vpn.tf (about) 1 # An example of how to connect two GCE networks with a VPN 2 provider "google" { 3 account_file = "${file("~/gce/account.json")}" 4 project = "${var.project}" 5 region = "${var.region1}" 6 } 7 8 # Create the two networks we want to join. They must have seperate, internal 9 # ranges. 10 resource "google_compute_network" "network1" { 11 name = "network1" 12 ipv4_range = "10.120.0.0/16" 13 } 14 15 resource "google_compute_network" "network2" { 16 name = "network2" 17 ipv4_range = "10.121.0.0/16" 18 } 19 20 # Attach a VPN gateway to each network. 21 resource "google_compute_vpn_gateway" "target_gateway1" { 22 name = "vpn1" 23 network = "${google_compute_network.network1.self_link}" 24 region = "${var.region1}" 25 } 26 27 resource "google_compute_vpn_gateway" "target_gateway2" { 28 name = "vpn2" 29 network = "${google_compute_network.network2.self_link}" 30 region = "${var.region2}" 31 } 32 33 # Create an outward facing static IP for each VPN that will be used by the 34 # other VPN to connect. 35 resource "google_compute_address" "vpn_static_ip1" { 36 name = "vpn-static-ip1" 37 region = "${var.region1}" 38 } 39 40 resource "google_compute_address" "vpn_static_ip2" { 41 name = "vpn-static-ip2" 42 region = "${var.region2}" 43 } 44 45 # Forward IPSec traffic coming into our static IP to our VPN gateway. 46 resource "google_compute_forwarding_rule" "fr1_esp" { 47 name = "fr1-esp" 48 region = "${var.region1}" 49 ip_protocol = "ESP" 50 ip_address = "${google_compute_address.vpn_static_ip1.address}" 51 target = "${google_compute_vpn_gateway.target_gateway1.self_link}" 52 } 53 54 resource "google_compute_forwarding_rule" "fr2_esp" { 55 name = "fr2-esp" 56 region = "${var.region2}" 57 ip_protocol = "ESP" 58 ip_address = "${google_compute_address.vpn_static_ip2.address}" 59 target = "${google_compute_vpn_gateway.target_gateway2.self_link}" 60 } 61 62 # The following two sets of forwarding rules are used as a part of the IPSec 63 # protocol 64 resource "google_compute_forwarding_rule" "fr1_udp500" { 65 name = "fr1-udp500" 66 region = "${var.region1}" 67 ip_protocol = "UDP" 68 port_range = "500" 69 ip_address = "${google_compute_address.vpn_static_ip1.address}" 70 target = "${google_compute_vpn_gateway.target_gateway1.self_link}" 71 } 72 73 resource "google_compute_forwarding_rule" "fr2_udp500" { 74 name = "fr2-udp500" 75 region = "${var.region2}" 76 ip_protocol = "UDP" 77 port_range = "500" 78 ip_address = "${google_compute_address.vpn_static_ip2.address}" 79 target = "${google_compute_vpn_gateway.target_gateway2.self_link}" 80 } 81 82 resource "google_compute_forwarding_rule" "fr1_udp4500" { 83 name = "fr1-udp4500" 84 region = "${var.region1}" 85 ip_protocol = "UDP" 86 port_range = "4500" 87 ip_address = "${google_compute_address.vpn_static_ip1.address}" 88 target = "${google_compute_vpn_gateway.target_gateway1.self_link}" 89 } 90 91 resource "google_compute_forwarding_rule" "fr2_udp4500" { 92 name = "fr2-udp4500" 93 region = "${var.region2}" 94 ip_protocol = "UDP" 95 port_range = "4500" 96 ip_address = "${google_compute_address.vpn_static_ip2.address}" 97 target = "${google_compute_vpn_gateway.target_gateway2.self_link}" 98 } 99 100 # Each tunnel is responsible for encrypting and decrypting traffic exiting 101 # and leaving its associated gateway 102 resource "google_compute_vpn_tunnel" "tunnel1" { 103 name = "tunnel1" 104 region = "${var.region1}" 105 peer_ip = "${google_compute_address.vpn_static_ip2.address}" 106 shared_secret = "a secret message" 107 target_vpn_gateway = "${google_compute_vpn_gateway.target_gateway1.self_link}" 108 depends_on = ["google_compute_forwarding_rule.fr1_udp500", 109 "google_compute_forwarding_rule.fr1_udp4500", 110 "google_compute_forwarding_rule.fr1_esp"] 111 } 112 113 resource "google_compute_vpn_tunnel" "tunnel2" { 114 name = "tunnel2" 115 region = "${var.region2}" 116 peer_ip = "${google_compute_address.vpn_static_ip1.address}" 117 shared_secret = "a secret message" 118 target_vpn_gateway = "${google_compute_vpn_gateway.target_gateway2.self_link}" 119 depends_on = ["google_compute_forwarding_rule.fr2_udp500", 120 "google_compute_forwarding_rule.fr2_udp4500", 121 "google_compute_forwarding_rule.fr2_esp"] 122 } 123 124 # Each route tells the associated network to send all traffic in the dest_range 125 # through the VPN tunnel 126 resource "google_compute_route" "route1" { 127 name = "route1" 128 network = "${google_compute_network.network1.name}" 129 next_hop_vpn_tunnel = "${google_compute_vpn_tunnel.tunnel1.self_link}" 130 dest_range = "${google_compute_network.network2.ipv4_range}" 131 priority = 1000 132 } 133 134 resource "google_compute_route" "route2" { 135 name = "route2" 136 network = "${google_compute_network.network2.name}" 137 next_hop_vpn_tunnel = "${google_compute_vpn_tunnel.tunnel2.self_link}" 138 dest_range = "${google_compute_network.network1.ipv4_range}" 139 priority = 1000 140 } 141 142 # We want to allow the two networks to communicate, so we need to unblock 143 # them in the firewall 144 resource "google_compute_firewall" "network1-allow-network1" { 145 name = "network1-allow-network1" 146 network = "${google_compute_network.network1.name}" 147 source_ranges = ["${google_compute_network.network1.ipv4_range}"] 148 allow { 149 protocol = "tcp" 150 } 151 allow { 152 protocol = "udp" 153 } 154 allow { 155 protocol = "icmp" 156 } 157 } 158 159 resource "google_compute_firewall" "network1-allow-network2" { 160 name = "network1-allow-network2" 161 network = "${google_compute_network.network1.name}" 162 source_ranges = ["${google_compute_network.network2.ipv4_range}"] 163 allow { 164 protocol = "tcp" 165 } 166 allow { 167 protocol = "udp" 168 } 169 allow { 170 protocol = "icmp" 171 } 172 }