Upcloud: Added ipsec properties for UpCloud gateway VPN
parent
306abc5284
commit
e574cab44d
|
@ -150,7 +150,20 @@ terraform destroy --var-file cluster-settings.tfvars \
|
||||||
* `remote_routes`: Map of local routes for the connection
|
* `remote_routes`: Map of local routes for the connection
|
||||||
* `type`: Type of route
|
* `type`: Type of route
|
||||||
* `static_network`: Destination prefix of the route; needs to be a valid IPv4 prefix
|
* `static_network`: Destination prefix of the route; needs to be a valid IPv4 prefix
|
||||||
|
* `tunnels`: The tunnels to create for this connection
|
||||||
* `remote_address`: The remote address for the tunnel
|
* `remote_address`: The remote address for the tunnel
|
||||||
|
* `ipsec_properties`: Set properties of IPSec, if not set, defaults will be used
|
||||||
|
* `child_rekey_time`: IKE child SA rekey time in seconds
|
||||||
|
* `dpd_delay`: Delay before sending Dead Peer Detection packets if no traffic is detected, in seconds
|
||||||
|
* `dpd_timeout`: Timeout period for DPD reply before considering the peer to be dead, in seconds
|
||||||
|
* `ike_lifetime`: Maximum IKE SA lifetime in seconds()
|
||||||
|
* `rekey_time`: IKE SA rekey time in seconds
|
||||||
|
* `phase1_algorithms`: List of Phase 1: Proposal algorithms
|
||||||
|
* `phase1_dh_group_numbers`: List of Phase 1 Diffie-Hellman group numbers
|
||||||
|
* `phase1_integrity_algorithms`: List of Phase 1 integrity algorithms
|
||||||
|
* `phase2_algorithms`: List of Phase 2: Security Association algorithms
|
||||||
|
* `phase2_dh_group_numbers`: List of Phase 2 Diffie-Hellman group numbers
|
||||||
|
* `phase2_integrity_algorithms`: List of Phase 2 integrity algorithms
|
||||||
* `gateway_vpn_psks`: Separate variable for providing psks for connection tunnels. Environment variable can be exported in the following format `export TF_VAR_gateway_vpn_psks='{"${gateway-name}-${connecton-name}-tunnel":{psk:"..."}}'`
|
* `gateway_vpn_psks`: Separate variable for providing psks for connection tunnels. Environment variable can be exported in the following format `export TF_VAR_gateway_vpn_psks='{"${gateway-name}-${connecton-name}-tunnel":{psk:"..."}}'`
|
||||||
* `static_routes`: Static routes to apply to the router, requires `router_enable` is set to true
|
* `static_routes`: Static routes to apply to the router, requires `router_enable` is set to true
|
||||||
* `network_peerings`: Other UpCloud private networks to peer with, requires `router_enable` is set to true
|
* `network_peerings`: Other UpCloud private networks to peer with, requires `router_enable` is set to true
|
||||||
|
|
|
@ -175,10 +175,14 @@ gateways = {
|
||||||
# static_network = "4.3.2.1/24"
|
# static_network = "4.3.2.1/24"
|
||||||
# }
|
# }
|
||||||
# }
|
# }
|
||||||
|
# tunnels = {
|
||||||
|
# "tunnel1" = {
|
||||||
# remote_address = "1.2.3.4"
|
# remote_address = "1.2.3.4"
|
||||||
# }
|
# }
|
||||||
# }
|
# }
|
||||||
# }
|
# }
|
||||||
|
# }
|
||||||
|
# }
|
||||||
}
|
}
|
||||||
# gateway_vpn_psks = {} # Should be loaded as an environment variable
|
# gateway_vpn_psks = {} # Should be loaded as an environment variable
|
||||||
static_routes = {
|
static_routes = {
|
||||||
|
|
|
@ -35,15 +35,19 @@ locals {
|
||||||
|
|
||||||
gateway_connection_tunnels = flatten([
|
gateway_connection_tunnels = flatten([
|
||||||
for gateway_name, gateway in var.gateways : [
|
for gateway_name, gateway in var.gateways : [
|
||||||
for connection_name, connection in gateway.connections : {
|
for connection_name, connection in gateway.connections : [
|
||||||
|
for tunnel_name, tunnel in connection.tunnels : {
|
||||||
"gateway_id" = upcloud_gateway.gateway[gateway_name].id
|
"gateway_id" = upcloud_gateway.gateway[gateway_name].id
|
||||||
"gateway_name" = gateway_name
|
"gateway_name" = gateway_name
|
||||||
"connection_id" = upcloud_gateway_connection.gateway_connection["${gateway_name}-${connection_name}"].id
|
"connection_id" = upcloud_gateway_connection.gateway_connection["${gateway_name}-${connection_name}"].id
|
||||||
"connection_name" = connection_name
|
"connection_name" = connection_name
|
||||||
|
"tunnel_name" = tunnel_name
|
||||||
"local_address_name" = tolist(upcloud_gateway.gateway[gateway_name].address).0.name
|
"local_address_name" = tolist(upcloud_gateway.gateway[gateway_name].address).0.name
|
||||||
"remote_address" = connection.remote_address
|
"remote_address" = tunnel.remote_address
|
||||||
|
"ipsec_properties" = tunnel.ipsec_properties
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
]
|
||||||
])
|
])
|
||||||
|
|
||||||
# If prefix is set, all resources will be prefixed with "${var.prefix}-"
|
# If prefix is set, all resources will be prefixed with "${var.prefix}-"
|
||||||
|
@ -684,7 +688,7 @@ resource "upcloud_gateway_connection" "gateway_connection" {
|
||||||
|
|
||||||
resource "upcloud_gateway_connection_tunnel" "gateway_connection_tunnel" {
|
resource "upcloud_gateway_connection_tunnel" "gateway_connection_tunnel" {
|
||||||
for_each = {
|
for_each = {
|
||||||
for gct in local.gateway_connection_tunnels : "${gct.gateway_name}-${gct.connection_name}-tunnel" => gct
|
for gct in local.gateway_connection_tunnels : "${gct.gateway_name}-${gct.connection_name}-${gct.tunnel_name}-tunnel" => gct
|
||||||
}
|
}
|
||||||
|
|
||||||
connection_id = each.value.connection_id
|
connection_id = each.value.connection_id
|
||||||
|
@ -695,6 +699,24 @@ resource "upcloud_gateway_connection_tunnel" "gateway_connection_tunnel" {
|
||||||
ipsec_auth_psk {
|
ipsec_auth_psk {
|
||||||
psk = var.gateway_vpn_psks[each.key].psk
|
psk = var.gateway_vpn_psks[each.key].psk
|
||||||
}
|
}
|
||||||
|
|
||||||
|
dynamic "ipsec_properties" {
|
||||||
|
for_each = each.value.ipsec_properties != null ? { "ip": each.value.ipsec_properties } : {}
|
||||||
|
|
||||||
|
content {
|
||||||
|
child_rekey_time = ipsec_properties.value["child_rekey_time"]
|
||||||
|
dpd_delay = ipsec_properties.value["dpd_delay"]
|
||||||
|
dpd_timeout = ipsec_properties.value["dpd_timeout"]
|
||||||
|
ike_lifetime = ipsec_properties.value["ike_lifetime"]
|
||||||
|
rekey_time = ipsec_properties.value["rekey_time"]
|
||||||
|
phase1_algorithms = ipsec_properties.value["phase1_algorithms"]
|
||||||
|
phase1_dh_group_numbers = ipsec_properties.value["phase1_dh_group_numbers"]
|
||||||
|
phase1_integrity_algorithms = ipsec_properties.value["phase1_integrity_algorithms"]
|
||||||
|
phase2_algorithms = ipsec_properties.value["phase2_algorithms"]
|
||||||
|
phase2_dh_group_numbers = ipsec_properties.value["phase2_dh_group_numbers"]
|
||||||
|
phase2_integrity_algorithms = ipsec_properties.value["phase2_integrity_algorithms"]
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "upcloud_network_peering" "peering" {
|
resource "upcloud_network_peering" "peering" {
|
||||||
|
|
|
@ -139,7 +139,22 @@ variable "gateways" {
|
||||||
type = string
|
type = string
|
||||||
static_network = string
|
static_network = string
|
||||||
})))
|
})))
|
||||||
|
tunnels = optional(map(object({
|
||||||
remote_address = string
|
remote_address = string
|
||||||
|
ipsec_properties = optional(object({
|
||||||
|
child_rekey_time = number
|
||||||
|
dpd_delay = number
|
||||||
|
dpd_timeout = number
|
||||||
|
ike_lifetime = number
|
||||||
|
rekey_time = number
|
||||||
|
phase1_algorithms = set(string)
|
||||||
|
phase1_dh_group_numbers = set(string)
|
||||||
|
phase1_integrity_algorithms = set(string)
|
||||||
|
phase2_algorithms = set(string)
|
||||||
|
phase2_dh_group_numbers = set(string)
|
||||||
|
phase2_integrity_algorithms = set(string)
|
||||||
|
}))
|
||||||
|
})))
|
||||||
})))
|
})))
|
||||||
}))
|
}))
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,7 +3,7 @@ terraform {
|
||||||
required_providers {
|
required_providers {
|
||||||
upcloud = {
|
upcloud = {
|
||||||
source = "UpCloudLtd/upcloud"
|
source = "UpCloudLtd/upcloud"
|
||||||
version = "~>5.8.0"
|
version = "~>5.9.0"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
required_version = ">= 0.13"
|
required_version = ">= 0.13"
|
||||||
|
|
|
@ -181,7 +181,22 @@ variable "gateways" {
|
||||||
type = string
|
type = string
|
||||||
static_network = string
|
static_network = string
|
||||||
})), {})
|
})), {})
|
||||||
|
tunnels = optional(map(object({
|
||||||
remote_address = string
|
remote_address = string
|
||||||
|
ipsec_properties = optional(object({
|
||||||
|
child_rekey_time = number
|
||||||
|
dpd_delay = number
|
||||||
|
dpd_timeout = number
|
||||||
|
ike_lifetime = number
|
||||||
|
rekey_time = number
|
||||||
|
phase1_algorithms = set(string)
|
||||||
|
phase1_dh_group_numbers = set(string)
|
||||||
|
phase1_integrity_algorithms = set(string)
|
||||||
|
phase2_algorithms = set(string)
|
||||||
|
phase2_dh_group_numbers = set(string)
|
||||||
|
phase2_integrity_algorithms = set(string)
|
||||||
|
}))
|
||||||
|
})), {})
|
||||||
})), {})
|
})), {})
|
||||||
}))
|
}))
|
||||||
default = {}
|
default = {}
|
||||||
|
|
|
@ -3,7 +3,7 @@ terraform {
|
||||||
required_providers {
|
required_providers {
|
||||||
upcloud = {
|
upcloud = {
|
||||||
source = "UpCloudLtd/upcloud"
|
source = "UpCloudLtd/upcloud"
|
||||||
version = "~>5.8.0"
|
version = "~>5.9.0"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
required_version = ">= 0.13"
|
required_version = ">= 0.13"
|
||||||
|
|
Loading…
Reference in New Issue