-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.region1.tf
172 lines (134 loc) · 5.84 KB
/
main.region1.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
module "cloud_vpc_region1" {
source = "./modules/aws_vpc"
for_each = var.cloud_vpcs_region1
name = each.key
cidr = each.value
azs = slice(data.aws_availability_zones.available.names, 0, 2) # Select first two aws availability zones
public_subnets = slice(cidrsubnets(each.value, 2, 2, 2, 2), 0, 2) # Caculate consecuitive CIDR range for public subnets
private_subnets = slice(cidrsubnets(each.value, 2, 2, 2, 2), 2, 4) # Caculate consecuitive CIDR range for private subnets
enable_vpn_gateway = false
propagate_private_route_tables_vgw = false
propagate_public_route_tables_vgw = false
}
module "onprem_vpc_region1" {
source = "./modules/aws_vpc"
name = var.onprem_vpc_name_region1
cidr = var.onprem_vpc_cidr_region1
azs = slice(data.aws_availability_zones.available.names, 0, 2) # Select first two aws availability zones
public_subnets = slice(cidrsubnets(var.onprem_vpc_cidr_region1, 2, 2, 2, 2), 0, 2) # Caculate consecuitive CIDR range for public subnets
private_subnets = slice(cidrsubnets(var.onprem_vpc_cidr_region1, 2, 2, 2, 2), 2, 4) # Caculate consecuitive CIDR range for private subnets
enable_vpn_gateway = false
propagate_private_route_tables_vgw = false
propagate_public_route_tables_vgw = false
}
resource "aws_ec2_transit_gateway" "tgw_region1" {
description = var.tgw_region1
amazon_side_asn = var.tgw_region1_asn
tags = {
"Name" = var.tgw_region1
}
}
# Attach region1 VPCs to region1 tgw
resource "aws_ec2_transit_gateway_vpc_attachment" "region1" {
for_each = var.cloud_vpcs_region1
subnet_ids = module.cloud_vpc_region1[each.key].private_subnets
transit_gateway_id = aws_ec2_transit_gateway.tgw_region1.id
vpc_id = module.cloud_vpc_region1[each.key].vpc_id
tags = {
"Name" = each.key
}
}
# Create EIP for OnPrem VPN Gateway
resource "aws_eip" "onpregw_region1" {
vpc = true
tags = {
Name = var.onprem_gw_name_region1
}
}
# Create customer gateway
resource "aws_customer_gateway" "cxgw_region1" {
bgp_asn = var.onpremgw_asn_region1
ip_address = aws_eip.onpregw_region1.public_ip
type = "ipsec.1"
tags = {
Name = var.onprem_gw_name_region1
}
}
resource "aws_vpn_connection" "region1" {
customer_gateway_id = aws_customer_gateway.cxgw_region1.id
transit_gateway_id = aws_ec2_transit_gateway.tgw_region1.id
type = aws_customer_gateway.cxgw_region1.type
tags = {
Name = var.onprem_gw_name_region1
}
}
# Store IPSec Key in Secret Manager
locals {
region1_tunnel_1_psk_name = "${aws_vpn_connection.region1.id}-tunnel-1-psk"
region1_tunnel_2_psk_name = "${aws_vpn_connection.region1.id}-tunnel-2-psk"
}
resource "aws_secretsmanager_secret" "region1_tunnel_1_psk" {
name = local.region1_tunnel_1_psk_name
}
resource "aws_secretsmanager_secret_version" "region1_tunnel_1_psk" {
secret_id = aws_secretsmanager_secret.region1_tunnel_1_psk.id
secret_string = jsonencode({"psk":"${aws_vpn_connection.region1.tunnel1_preshared_key}"})
}
resource "aws_secretsmanager_secret" "region1_tunnel_2_psk" {
name = local.region1_tunnel_2_psk_name
}
resource "aws_secretsmanager_secret_version" "region1_tunnel_2_psk" {
secret_id = aws_secretsmanager_secret.region1_tunnel_2_psk.id
secret_string = jsonencode({"psk":"${aws_vpn_connection.region1.tunnel2_preshared_key}"})
}
# Deploy CloudFormation Stack
# Parameter reference: https://github.com/aws-samples/vpn-gateway-strongswan
# Or review local yaml file
resource "aws_cloudformation_stack" "region1_vpn_gateway" {
name = "region1-vpn-gateway"
capabilities = ["CAPABILITY_NAMED_IAM"]
parameters = {
keyName = var.key_name
myIP = data.http.ip.response_body
pAuthType = "psk"
# tunnel 1
pTunnel1PskSecretName = local.region1_tunnel_1_psk_name
pTunnel1VgwOutsideIpAddress = aws_vpn_connection.region1.tunnel1_address
pTunnel1CgwInsideIpAddress = "${aws_vpn_connection.region1.tunnel1_cgw_inside_address}/${split("/",aws_vpn_connection.region1.tunnel1_inside_cidr)[1]}"
pTunnel1VgwInsideIpAddress = "${aws_vpn_connection.region1.tunnel1_vgw_inside_address}/${split("/",aws_vpn_connection.region1.tunnel1_inside_cidr)[1]}"
pTunnel1VgwBgpAsn = aws_vpn_connection.region1.tunnel1_bgp_asn
pTunnel1BgpNeighborIpAddress = aws_vpn_connection.region1.tunnel1_vgw_inside_address
# tunnel 2
pTunnel2PskSecretName = local.region1_tunnel_2_psk_name
pTunnel2VgwOutsideIpAddress = aws_vpn_connection.region1.tunnel2_address
pTunnel2CgwInsideIpAddress = "${aws_vpn_connection.region1.tunnel2_cgw_inside_address}/${split("/",aws_vpn_connection.region1.tunnel2_inside_cidr)[1]}"
pTunnel2VgwInsideIpAddress = "${aws_vpn_connection.region1.tunnel2_vgw_inside_address}/${split("/",aws_vpn_connection.region1.tunnel2_inside_cidr)[1]}"
pTunnel2VgwBgpAsn = aws_vpn_connection.region1.tunnel2_bgp_asn
pTunnel2BgpNeighborIpAddress = aws_vpn_connection.region1.tunnel2_vgw_inside_address
pVpcId = module.onprem_vpc_region1.vpc_id
pVpcCidr = module.onprem_vpc_region1.vpc_cidr_block
pSubnetId = module.onprem_vpc_region1.public_subnets[0]
pUseElasticIp = true
pEipAllocationId = aws_eip.onpregw_region1.id
pLocalBgpAsn = var.onpremgw_asn_region1
}
template_body = file("${path.module}/vpn-gateway-strongswan.yml")
}
# Add Test instances
module "region1_test_ec2" {
for_each = var.cloud_vpcs_region1
source = "jye-aviatrix/aws-linux-vm-public/aws"
version = "2.0.1"
key_name = var.key_name
subnet_id = module.cloud_vpc_region1[each.key].public_subnets[0]
vm_name = each.key
vpc_id = module.cloud_vpc_region1[each.key].vpc_id
}
module "region1_onprem_test_ec2" {
source = "jye-aviatrix/aws-linux-vm-public/aws"
version = "2.0.1"
key_name = var.key_name
subnet_id = module.onprem_vpc_region1.public_subnets[0]
vm_name = "region1-onprem-test-ec2"
vpc_id = module.onprem_vpc_region1.vpc_id
}