github.com/turtlemonvh/terraform@v0.6.9-0.20151204001754-8e40b6b855e8/examples/gce-vpn/vpn.tf (about)

     1  # An example of how to connect two GCE networks with a VPN
     2  provider "google" {
     3      account_file = "${file("~/gce/account.json")}"
     4      project = "${var.project}"
     5      region = "${var.region1}"
     6  }
     7  
     8  # Create the two networks we want to join. They must have seperate, internal
     9  # ranges.
    10  resource "google_compute_network" "network1" {
    11      name = "network1"
    12      ipv4_range = "10.120.0.0/16"
    13  }
    14  
    15  resource "google_compute_network" "network2" {
    16      name = "network2"
    17      ipv4_range = "10.121.0.0/16"
    18  }
    19  
    20  # Attach a VPN gateway to each network.
    21  resource "google_compute_vpn_gateway" "target_gateway1" {
    22      name = "vpn1"
    23      network = "${google_compute_network.network1.self_link}"
    24      region = "${var.region1}"
    25  }
    26  
    27  resource "google_compute_vpn_gateway" "target_gateway2" {
    28      name = "vpn2"
    29      network = "${google_compute_network.network2.self_link}"
    30      region = "${var.region2}"
    31  }
    32  
    33  # Create an outward facing static IP for each VPN that will be used by the
    34  # other VPN to connect.
    35  resource "google_compute_address" "vpn_static_ip1" {
    36      name = "vpn-static-ip1"
    37      region = "${var.region1}"
    38  }
    39  
    40  resource "google_compute_address" "vpn_static_ip2" {
    41      name = "vpn-static-ip2"
    42      region = "${var.region2}"
    43  }
    44  
    45  # Forward IPSec traffic coming into our static IP to our VPN gateway.
    46  resource "google_compute_forwarding_rule" "fr1_esp" {
    47      name = "fr1-esp"
    48      region = "${var.region1}"
    49      ip_protocol = "ESP"
    50      ip_address = "${google_compute_address.vpn_static_ip1.address}"
    51      target = "${google_compute_vpn_gateway.target_gateway1.self_link}"
    52  }
    53  
    54  resource "google_compute_forwarding_rule" "fr2_esp" {
    55      name = "fr2-esp"
    56      region = "${var.region2}"
    57      ip_protocol = "ESP"
    58      ip_address = "${google_compute_address.vpn_static_ip2.address}"
    59      target = "${google_compute_vpn_gateway.target_gateway2.self_link}"
    60  }
    61  
    62  # The following two sets of forwarding rules are used as a part of the IPSec
    63  # protocol
    64  resource "google_compute_forwarding_rule" "fr1_udp500" {
    65      name = "fr1-udp500"
    66      region = "${var.region1}"
    67      ip_protocol = "UDP"
    68      port_range = "500"
    69      ip_address = "${google_compute_address.vpn_static_ip1.address}"
    70      target = "${google_compute_vpn_gateway.target_gateway1.self_link}"
    71  }
    72  
    73  resource "google_compute_forwarding_rule" "fr2_udp500" {
    74      name = "fr2-udp500"
    75      region = "${var.region2}"
    76      ip_protocol = "UDP"
    77      port_range = "500"
    78      ip_address = "${google_compute_address.vpn_static_ip2.address}"
    79      target = "${google_compute_vpn_gateway.target_gateway2.self_link}"
    80  }
    81  
    82  resource "google_compute_forwarding_rule" "fr1_udp4500" {
    83      name = "fr1-udp4500"
    84      region = "${var.region1}"
    85      ip_protocol = "UDP"
    86      port_range = "4500"
    87      ip_address = "${google_compute_address.vpn_static_ip1.address}"
    88      target = "${google_compute_vpn_gateway.target_gateway1.self_link}"
    89  }
    90  
    91  resource "google_compute_forwarding_rule" "fr2_udp4500" {
    92      name = "fr2-udp4500"
    93      region = "${var.region2}"
    94      ip_protocol = "UDP"
    95      port_range = "4500"
    96      ip_address = "${google_compute_address.vpn_static_ip2.address}"
    97      target = "${google_compute_vpn_gateway.target_gateway2.self_link}"
    98  }
    99  
   100  # Each tunnel is responsible for encrypting and decrypting traffic exiting
   101  # and leaving its associated gateway
   102  resource "google_compute_vpn_tunnel" "tunnel1" {
   103      name = "tunnel1"
   104      region = "${var.region1}"
   105      peer_ip = "${google_compute_address.vpn_static_ip2.address}"
   106      shared_secret = "a secret message"
   107      target_vpn_gateway = "${google_compute_vpn_gateway.target_gateway1.self_link}"
   108      depends_on = ["google_compute_forwarding_rule.fr1_udp500",
   109          "google_compute_forwarding_rule.fr1_udp4500",
   110          "google_compute_forwarding_rule.fr1_esp"]
   111  }
   112  
   113  resource "google_compute_vpn_tunnel" "tunnel2" {
   114      name = "tunnel2"
   115      region = "${var.region2}"
   116      peer_ip = "${google_compute_address.vpn_static_ip1.address}"
   117      shared_secret = "a secret message"
   118      target_vpn_gateway = "${google_compute_vpn_gateway.target_gateway2.self_link}"
   119      depends_on = ["google_compute_forwarding_rule.fr2_udp500",
   120          "google_compute_forwarding_rule.fr2_udp4500",
   121          "google_compute_forwarding_rule.fr2_esp"]
   122  }
   123  
   124  # Each route tells the associated network to send all traffic in the dest_range
   125  # through the VPN tunnel
   126  resource "google_compute_route" "route1" {
   127      name = "route1"
   128      network = "${google_compute_network.network1.name}"
   129      next_hop_vpn_tunnel = "${google_compute_vpn_tunnel.tunnel1.self_link}"
   130      dest_range = "${google_compute_network.network2.ipv4_range}"
   131      priority = 1000
   132  }
   133  
   134  resource "google_compute_route" "route2" {
   135      name = "route2"
   136      network = "${google_compute_network.network2.name}"
   137      next_hop_vpn_tunnel = "${google_compute_vpn_tunnel.tunnel2.self_link}"
   138      dest_range = "${google_compute_network.network1.ipv4_range}"
   139      priority = 1000
   140  }
   141  
   142  # We want to allow the two networks to communicate, so we need to unblock
   143  # them in the firewall
   144  resource "google_compute_firewall" "network1-allow-network1" {
   145      name = "network1-allow-network1"
   146      network = "${google_compute_network.network1.name}"
   147      source_ranges = ["${google_compute_network.network1.ipv4_range}"]
   148      allow {
   149          protocol = "tcp"
   150      }
   151      allow {
   152          protocol = "udp"
   153      }
   154      allow {
   155          protocol = "icmp"
   156      }
   157  }
   158  
   159  resource "google_compute_firewall" "network1-allow-network2" {
   160      name = "network1-allow-network2"
   161      network = "${google_compute_network.network1.name}"
   162      source_ranges = ["${google_compute_network.network2.ipv4_range}"]
   163      allow {
   164          protocol = "tcp"
   165      }
   166      allow {
   167          protocol = "udp"
   168      }
   169      allow {
   170          protocol = "icmp"
   171      }
   172  }