Merge pull request #2 from rackspace-infrastructure-automation/new-vp…

…n-features-presharedkey-insidecidr New VPN Features PresharedKey and InsideCIDR #143
rackspace-infrastructure-automation · Oct 25, 2018 · b33f4a2 · b33f4a2
2 parents cf14593 + 1ea8316
commit b33f4a2
Show file tree

Hide file tree

Showing 4 changed files with 217 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -17,6 +17,9 @@ module "vpn1" {
  static_routes       = ["192.168.0.0/23", "192.168.4.0/23"]
  static_routes_count = 2
  vpc_id              = "${module.vpc.vpc_id}"
+ # use_preshared_keys = true
+ # preshared_keys   = ["XXXXXXXXXXXXX1", "XXXXXXXXXXXXX2"] #Always use aws_kms_secrets to manage sensitive information. More info: https://manage.rackspace.com/aws/docs/product-guide/iac_beta/managing-secrets.html
+ 
 }
 ```
 
@@ -32,9 +35,15 @@ module "vpn1" {
  route_tables        = "${concat(module.vpc.public_route_tables, module.vpc.private_route_tables)}"
  route_tables_count  = 3
  vpc_id              = "${module.vpc.vpc_id}"
+ # use_preshared_keys = true
+ # preshared_keys   = ["XXXXXXXXXXXXX1", "XXXXXXXXXXXXX2"] #Always use aws_kms_secrets to manage sensitive information: More info: https://manage.rackspace.com/aws/docs/product-guide/iac_beta/managing-secrets.html
+ # bgp_inside_cidrs = true
+ # bgp_inside_cidrs = ["169.254.18.0/30", "169.254.17.0/30"]
 }
 ```
 
+
+
 Full working references are available at [examples](examples)
 
 
@@ -61,6 +70,10 @@ Full working references are available at [examples](examples)
 | static_routes_count | The number of internal subnets on the customer side. | string | `0` | no |
 | tags | Custom tags to apply to all resources. | map | `<map>` | no |
 | vpc_id | Provide Virtual Private Cloud ID in which the VPN resources will be deployed | string | - | yes |
+| use_preshared_keys | Boolean value to determine if presharedkeys should be used for the VPN tunnels. If custom presharedkeys are required for this VPN this value should be set to true. | string | false | no
+| preshared_keys | Pre-shared key (PSK) to establish initial authentication between the virtual private gateway and customer gateway. Allowed characters are alphanumeric characters and ._. Must be between 8 and 64 characters in length and cannot start with zero (0), #Always use **aws_kms_key** to manage sensitive information. Use it in conjunction with variable **preshared_keys**.  Example ["XXXX","XXXX"]  | list | [] | no
+| use_bgp_inside_cidrs | Boolean value to determine if BGP Inside CIDR addresses should be used for the VPN tunnels. If custom inside CIDRs are required for this VPN this value should be set to true. | string | false | no
+| bgp_inside_cidrs | Range of inside IP addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway. A size /30 CIDR block from the 169.254.0.0/16 range. The following CIDR blocks are reserved and cannot be used: 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.169.252/30. Example ["169.254.16.0/30", "169.254.15.0/30"] | list | [] | no
 
 ## Outputs
 

diff --git a/main.tf b/main.tf
@@ -85,18 +85,54 @@ resource "aws_vpn_gateway" "vpn_gateway" {
 }
 
 resource "aws_vpn_connection" "vpn_connection" {
+  count               = "${!var.use_preshared_keys && !var.use_bgp_inside_cidrs ? 1 : 0}"
   customer_gateway_id = "${local.customer_gateway}"
   static_routes_only  = "${var.disable_bgp}"
   tags                = "${merge(map("Name", "${var.name}-VpnConnection"), var.tags, local.tags)}"
   type                = "ipsec.1"
   vpn_gateway_id      = "${local.vpn_gateway}"
 }
 
+resource "aws_vpn_connection" "vpn_connection_custom_presharedkey" {
+  count                 = "${var.use_preshared_keys && !var.use_bgp_inside_cidrs ? 1 : 0}"
+  customer_gateway_id   = "${local.customer_gateway}"
+  static_routes_only    = "${var.disable_bgp}"
+  tags                  = "${merge(map("Name", "${var.name}-VpnConnection"), var.tags, local.tags)}"
+  type                  = "ipsec.1"
+  vpn_gateway_id        = "${local.vpn_gateway}"
+  tunnel1_preshared_key = "${element(var.preshared_keys,0)}"
+  tunnel2_preshared_key = "${element(var.preshared_keys,1)}"
+}
+
+resource "aws_vpn_connection" "vpn_connection_custom_inside_cidr" {
+  count               = "${!var.use_preshared_keys && var.use_bgp_inside_cidrs ? 1 : 0}"
+  customer_gateway_id = "${local.customer_gateway}"
+  static_routes_only  = "${var.disable_bgp}"
+  tags                = "${merge(map("Name", "${var.name}-VpnConnection"), var.tags, local.tags)}"
+  type                = "ipsec.1"
+  vpn_gateway_id      = "${local.vpn_gateway}"
+  tunnel1_inside_cidr = "${element(var.bgp_inside_cidrs,0)}"
+  tunnel2_inside_cidr = "${element(var.bgp_inside_cidrs,1)}"
+}
+
+resource "aws_vpn_connection" "vpn_connection_custom_attributes" {
+  count                 = "${var.use_preshared_keys && var.use_bgp_inside_cidrs ? 1 : 0}"
+  customer_gateway_id   = "${local.customer_gateway}"
+  static_routes_only    = "${var.disable_bgp}"
+  tags                  = "${merge(map("Name", "${var.name}-VpnConnection"), var.tags, local.tags)}"
+  type                  = "ipsec.1"
+  vpn_gateway_id        = "${local.vpn_gateway}"
+  tunnel1_preshared_key = "${element(var.preshared_keys,0)}"
+  tunnel2_preshared_key = "${element(var.preshared_keys,1)}"
+  tunnel1_inside_cidr   = "${element(var.bgp_inside_cidrs,0)}"
+  tunnel2_inside_cidr   = "${element(var.bgp_inside_cidrs,1)}"
+}
+
 resource "aws_vpn_connection_route" "static_routes" {
   count = "${var.disable_bgp ? var.static_routes_count : 0}"
 
   destination_cidr_block = "${element(var.static_routes, count.index)}"
-  vpn_connection_id      = "${aws_vpn_connection.vpn_connection.id}"
+  vpn_connection_id      = "${element(concat(aws_vpn_connection.vpn_connection.*.id,aws_vpn_connection.vpn_connection_custom_presharedkey.*.id,aws_vpn_connection.vpn_connection_custom_inside_cidr.*.id,aws_vpn_connection.vpn_connection_custom_attributes.*.id, list("")), 0)}"
 }
 
 resource "aws_vpn_gateway_route_propagation" "route_propagation" {
@@ -119,6 +155,6 @@ resource "aws_cloudwatch_metric_alarm" "vpn_status" {
   threshold           = "0"
 
   dimensions {
-    VpnId = "${aws_vpn_connection.vpn_connection.id}"
+    VpnId = "${element(concat(aws_vpn_connection.vpn_connection.*.id,aws_vpn_connection.vpn_connection_custom_presharedkey.*.id,aws_vpn_connection.vpn_connection_custom_inside_cidr.*.id,aws_vpn_connection.vpn_connection_custom_attributes.*.id, list("")), 0)}"
   }
 }
diff --git a/tests/test1/main.tf b/tests/test1/main.tf
@@ -9,7 +9,7 @@ provider "aws" {
 }
 
 module "vpc" {
-  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpc_basenetwork//"
+  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpc_basenetwork//?ref=master"
 
   vpc_name = "Test1VPC"
 }
@@ -46,11 +46,153 @@ module "vpn2" {
   create_vpn_gateway   = false
   existing_vpn_gateway = "${module.vpn1.vpn_gateway}"
 
-  customer_ip = "9.10.11.12"
+  customer_ip = "1.2.3.5"
 
   disable_bgp = false
   bgp_asn     = 65000
 
   route_tables       = "${concat(module.vpc.public_route_tables, module.vpc.private_route_tables)}"
   route_tables_count = 3
 }
+
+##########################
+# PresharedKey values    #
+##########################
+
+resource "random_string" "presharedkey1" {
+  length           = 16
+  number           = false
+  special          = true
+  override_special = "-."
+}
+
+resource "random_string" "presharedkey2" {
+  length           = 16
+  special          = true
+  number           = false
+  override_special = "-."
+}
+
+############################################
+# Use Static Routing With PresharedKey #
+############################################
+
+module "vpn3" {
+  source = "../../module"
+
+  name = "StaticRoutingVPN-PSK"
+
+  vpc_id               = "${module.vpc.vpc_id}"
+  customer_ip          = "1.2.3.6"
+  create_vpn_gateway   = false
+  existing_vpn_gateway = "${module.vpn1.vpn_gateway}"
+
+  route_tables       = "${concat(module.vpc.public_route_tables, module.vpc.private_route_tables)}"
+  route_tables_count = 3
+
+  static_routes       = ["192.168.12.0/23", "192.168.16.0/23"]
+  static_routes_count = 2
+  use_preshared_keys  = true
+  preshared_keys      = ["${random_string.presharedkey1.result}", "${random_string.presharedkey2.result}"]
+}
+
+##############################################
+# Use Dynamic Routing with preshared key#
+##############################################
+
+module "vpn4" {
+  source = "../../module"
+
+  name = "DynamicRoutingVPN-PSK"
+
+  vpc_id               = "${module.vpc.vpc_id}"
+  create_vpn_gateway   = false
+  existing_vpn_gateway = "${module.vpn1.vpn_gateway}"
+
+  customer_ip = "1.2.3.7"
+
+  disable_bgp = false
+  bgp_asn     = 65001
+
+  route_tables       = "${concat(module.vpc.public_route_tables, module.vpc.private_route_tables)}"
+  route_tables_count = 3
+  use_preshared_keys = true
+  preshared_keys     = ["${random_string.presharedkey1.result}", "${random_string.presharedkey2.result}"]
+}
+
+##############################################
+# Use Dynamic Routing with preshared key and inside CIDR#
+##############################################
+
+module "vpn5" {
+  source = "../../module"
+
+  name = "DynamicRoutingVPN-PSK-ICIDR"
+
+  vpc_id               = "${module.vpc.vpc_id}"
+  create_vpn_gateway   = false
+  existing_vpn_gateway = "${module.vpn1.vpn_gateway}"
+
+  customer_ip = "1.2.3.8"
+
+  disable_bgp = false
+  bgp_asn     = 65002
+
+  route_tables         = "${concat(module.vpc.public_route_tables, module.vpc.private_route_tables)}"
+  route_tables_count   = 3
+  use_preshared_keys   = true
+  use_bgp_inside_cidrs = true
+  preshared_keys       = ["${random_string.presharedkey1.result}", "${random_string.presharedkey2.result}"]
+  bgp_inside_cidrs     = ["169.254.16.0/30", "169.254.15.0/30"]
+}
+
+##############################################
+# Use Dynamic Routing with inside CIDR#
+##############################################
+
+module "vpn6" {
+  source = "../../module"
+
+  name = "DynamicRoutingVPN-ICIDR"
+
+  vpc_id               = "${module.vpc.vpc_id}"
+  create_vpn_gateway   = false
+  existing_vpn_gateway = "${module.vpn1.vpn_gateway}"
+
+  customer_ip = "1.2.3.9"
+
+  disable_bgp = false
+  bgp_asn     = 65003
+
+  route_tables       = "${concat(module.vpc.public_route_tables, module.vpc.private_route_tables)}"
+  route_tables_count = 3
+
+  use_bgp_inside_cidrs = true
+  bgp_inside_cidrs     = ["169.254.12.0/30", "169.254.13.0/30"]
+}
+
+############################################
+# Use Static Routing With PresharedKey and IncideCidr #
+############################################
+
+module "vpn7" {
+  source = "../../module"
+
+  name = "StaticRoutingVPN-PSK-ICIDR"
+
+  vpc_id               = "${module.vpc.vpc_id}"
+  customer_ip          = "1.2.3.10"
+  create_vpn_gateway   = false
+  existing_vpn_gateway = "${module.vpn1.vpn_gateway}"
+
+  route_tables       = "${concat(module.vpc.public_route_tables, module.vpc.private_route_tables)}"
+  route_tables_count = 3
+
+  static_routes       = ["192.168.18.0/23", "192.168.20.0/23"]
+  static_routes_count = 2
+
+  use_preshared_keys   = true
+  use_bgp_inside_cidrs = true
+  preshared_keys       = ["${random_string.presharedkey1.result}", "${random_string.presharedkey2.result}"]
+  bgp_inside_cidrs     = ["169.254.18.0/30", "169.254.17.0/30"]
+}
diff --git a/variables.tf b/variables.tf
@@ -109,3 +109,25 @@ variable "vpc_id" {
   description = "Provide Virtual Private Cloud ID in which the VPN resources will be deployed"
   type        = "string"
 }
+
+variable "preshared_keys" {
+  description = "The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and customer gateway. Allowed characters are alphanumeric characters and ._. Must be between 8 and 64 characters in length and cannot start with zero (0)."
+  type        = "list"
+  default     = []
+}
+
+variable "bgp_inside_cidrs" {
+  description = "Pre-shared key (PSK) to establish initial authentication between the virtual private gateway and customer gateway. Allowed characters are alphanumeric characters and ._. Must be between 8 and 64 characters in length and cannot start with zero (0), #Always use **aws_kms_key** to manage sensitive information. Use it in conjunction with variable **preshared_keys**.  Example [\"XXXX\",\"XXXX\"]"
+  type        = "list"
+  default     = []
+}
+
+variable "use_preshared_keys" {
+  description = "Range of inside IP addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway. A size /30 CIDR block from the 169.254.0.0/16 range. The following CIDR blocks are reserved and cannot be used: 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.169.252/30. Example [\"169.254.16.0/30\", \"169.254.15.0/30\"]"
+  default     = false
+}
+
+variable "use_bgp_inside_cidrs" {
+  description = "Boolean value to determine if BGP Inside CIDR addresses should be used for the VPN tunnels. If custom inside CIDRs are required for this VPN this value should be set to true."
+  default     = false
+}