Terraform module to create vpn resource on AZURE.
We eat, drink, sleep and most importantly love DevOps. We are working towards strategies for standardizing architecture while ensuring security for the infrastructure. We are strong believer of the philosophy Bigger problems are always solved by breaking them into smaller manageable problems. Resonating with microservices architecture, it is considered best-practice to run database, cluster, storage in smaller connected yet manageable pieces within the infrastructure.
This module is basically combination of Terraform open source and includes automatation tests and examples. It also helps to create and improve your infrastructure with minimalistic code instead of maintaining the whole infrastructure code yourself.
We have fifty plus terraform modules. A few of them are comepleted and are available for open source usage while a few others are in progress.
This module has a few dependencies:
- Terraform 1.x.x
- Go
- github.com/stretchr/testify/assert
- github.com/gruntwork-io/terratest/modules/terraform
IMPORTANT: Since the master branch used in source varies based on new modifications, we suggest that you use the release versions here.
Here are some examples of how you can use this module in your inventory structure:
# vpn with azure ad
module "vpn" {
source = "clouddrove/vpn/azure"
version = "1.0.0"
depends_on = [module.vnet]
name = "app"
environment = "test"
label_order = ["name", "environment"]
vpn_ad = true
resource_group_name = module.resource_group.resource_group_name
virtual_network_name = module.vnet.vnet_name[0]
vpn_client_configuration = {
address_space = "172.16.200.0/24"
vpn_client_protocols = ["OpenVPN"]
vpn_auth_types = ["AAD"]
aad_tenant = "https://login.microsoftonline.com/bcffb719XXXXXXXXXXXX7ebfb2f7bdd"
aad_audience = "41b23e61-6c1e-4545-b367-cd054e0ed4b4"
aad_issuer = "https://sts.windows.net/bcffb719XXXXXXXXXXXX7ebfb2f7bdd/"
}
}# vpn with certificate
module "vpn" {
source = "clouddrove/vpn/azure"
version = "1.0.0"
depends_on = [module.vnet]
name = "app"
environment = "test"
label_order = ["name", "environment"]
vpn_with_certificate = true
resource_group_name = module.resource_group.resource_group_name
virtual_network_name = module.vnet.vnet_name[0]
vpn_client_configuration_c = {
address_space = "172.16.201.0/24"
vpn_client_protocols = ["OpenVPN", "IkeV2"]
certificate = <<EOF
MIIC5jCCAc6gAwIBAgIIUeUhLYf6UNwwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UE
AxMGVlBOIENBMB4XDTIyMTExMTE0MzA1NFoXDTI1MTExMDE0MzA1NFowETEPMA0G
A1UEAxMGVlBOIENBMIIBIjaNBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6bxr
s1kwbRztA7mH79EoIlyZsmAhdIXV8ehbzNIakk1ByOqtBpQK1Xvde1z6rjL1hzCn
XD6xjW+xfF+yQ/zMyc6udrK2OvtuFmAsBYL5Bbb+Nf7U6Rp9IWZA6f/HO+XLft6q
sC0UD1wEK6LSn/1u+fCfT3UCMCjpskAtE3ossZCuhUjJ8jGNUb07Z84dQEQf0s3n
13V0kqNfpaxAhlWUVWrvKWlEGigoTqk4NcTNAzUEGR1b4Rt8qNzIwk8DhODfiOwT
ILsB3XWyA/IOv2eL3Eqx/lkykIBSEJALPE7j6igyTMoSPHtQA7NWrgYeWgiWh1AQ
VJpuY1vAIm3gfMAEoQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
/wQEAwIBBjAdBgNVHQ4EFgQUiEbr34wufRJ6+1Fh5am89bxRCuswDQYJKoZIhvcN
AQELBQADggEBABHs7e6X2uLpUPkfv0r8TH3MnskPEGObcqGDS8WWH0FO7hsbSMeZ
bTxJue6WTUvwrxYrmfqRZU/K+TtDregsa+GAYsl0wbl82nu2gBivpARLXYenfmwc
Zgul+ZwQPw7FB9rLugW7qKMhGUxYYnywTyfZI1EjP6ZAjYn7xB9G7zOGpkVCErPn
LIO1Knhk7J2XIXs6wCw1OcLJfXhjEEbnYZaHYA3LCTot9LM+3ecloILUo7rQgooB
4/YOgmo7Q3Qv0ahFvsEI/ZqSop6NpLlzIQ/T3hC/6m4aG/1u+yaac4E9ygZNg184
Mb0BNzEPxRFt+L8A72gd/nTcxGrxEcQlqEc=
EOF
}
}# site-to-site vpn
module "vpn" {
source = "clouddrove/vpn/azure"
version = "1.0.0"
name = "site-to-site"
environment = "test"
label_order = ["name", "environment"]
sts_vpn = true
resource_group_name = module.resource_group.resource_group_name
virtual_network_name = module.vnet.vnet_name[0]
gateway_type = "Vpn"
local_networks = [
{
local_gw_name = "app-test-onpremise"
local_gateway_address = "20.232.135.45"
local_address_space = ["30.1.0.0/16"]
shared_key = "xpCGkHTBQmDvZK9HnLr7DAvH"
},
]
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| app_name | Name (e.g. app or cluster). |
string |
"" |
no |
| bgp_asn_number | The Autonomous System Number (ASN) to use as part of the BGP | string |
"65515" |
no |
| bgp_peer_weight | The weight added to routes which have been learned through BGP peering. Valid values can be between 0 and 100 | string |
"" |
no |
| bgp_peering_address | The BGP peer IP address of the virtual network gateway. This address is needed to configure the created gateway as a BGP Peer on the on-premises VPN devices. The IP address must be part of the subnet of the Virtual Network Gateway. | string |
"" |
no |
| enable_active_active | If true, an active-active Virtual Network Gateway will be created. An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. Defaults to false. | bool |
false |
no |
| enable_bgp | If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false | bool |
false |
no |
| environment | Environment (e.g. prod, dev, staging). |
string |
"" |
no |
| express_route_circuit_id | The ID of the Express Route Circuit when creating an ExpressRoute connection | any |
null |
no |
| expressroute_sku | Configuration of the size and capacity of the virtual network gateway for ExpressRoute type. Valid options are Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ and depend on the type, vpn_type and generation arguments | string |
"Standard" |
no |
| gateway_connection_protocol | The IKE protocol version to use. Possible values are IKEv1 and IKEv2. Defaults to IKEv2 | string |
"IKEv2" |
no |
| gateway_connection_type | The type of connection. Valid options are IPsec (Site-to-Site), ExpressRoute (ExpressRoute), and Vnet2Vnet (VNet-to-VNet) | string |
"IPsec" |
no |
| gateway_type | The type of the Virtual Network Gateway. Valid options are Vpn or ExpressRoute | string |
"Vpn" |
no |
| label_order | Label order, e.g. sequence of application name and environment name,environment,'attribute' [webserver,qa,devops,public,] . |
list(any) |
[] |
no |
| local_bgp_settings | Local Network Gateway's BGP speaker settings | list(object({ asn_number = number, peering_address = string, peer_weight = number })) |
null |
no |
| local_networks | List of local virtual network connections to connect to gateway | list(object({ local_gw_name = string, local_gateway_address = string, local_address_space = list(string), shared_key = string })) |
[] |
no |
| local_networks_ipsec_policy | IPSec policy for local networks. Only a single policy can be defined for a connection. | any |
null |
no |
| location | The location/region to keep all your network resources. To get the list of all locations with table format from azure cli, run 'az account list-locations -o table' | string |
"" |
no |
| managedby | ManagedBy, eg ''. | string |
"" |
no |
| name | Name (e.g. app or cluster). |
string |
"" |
no |
| peer_virtual_network_gateway_id | The ID of the peer virtual network gateway when creating a VNet-to-VNet connection | any |
null |
no |
| public_ip_allocation_method | Defines the allocation method for this IP address. Possible values are Static or Dynamic. Defaults to Dynamic | string |
"Dynamic" |
no |
| public_ip_sku | The SKU of the Public IP. Accepted values are Basic and Standard. Defaults to Basic | string |
"Basic" |
no |
| repository | Terraform current module repo | string |
"" |
no |
| resource_group_name | A container that holds related resources for an Azure solution | string |
"" |
no |
| sku | Configuration of the size and capacity of the virtual network gateway | string |
"VpnGw3" |
no |
| sts_vpn | Set to false to prevent the module from creating any resources. | bool |
false |
no |
| subnet_name | The name of the subnet to use in VM scale set | string |
"" |
no |
| tags | A map of tags to add to all resources | map(string) |
{} |
no |
| virtual_network_name | The name of the virtual network | string |
"" |
no |
| vpn_ad | Set to false to prevent the module from creating any resources. | bool |
false |
no |
| vpn_client_configuration | Virtual Network Gateway client configuration to accept IPSec point-to-site connections | object({ address_space = string, vpn_client_protocols = list(string), aad_tenant = string, aad_audience = string, aad_issuer = string, vpn_auth_types = list(string) }) |
null |
no |
| vpn_client_configuration_c | Virtual Network Gateway client configuration to accept IPSec point-to-site connections | object({ address_space = string, vpn_client_protocols = list(string), certificate = string }) |
null |
no |
| vpn_gateway_name | The name of the Virtual Network Gateway | string |
"" |
no |
| vpn_gw_generation | The Generation of the Virtual Network gateway. Possible values include Generation1, Generation2 or None | string |
"Generation2" |
no |
| vpn_gw_sku | Configuration of the size and capacity of the virtual network gateway. Valid options are Basic, VpnGw3, VpnGw2, VpnGw3, VpnGw4,VpnGw5, VpnGw3AZ, VpnGw3, VpnGw3AZ,VpnGw4AZ and VpnGw5AZ and depend on the type, vpn_type and generation arguments | string |
"VpnGw3" |
no |
| vpn_type | The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased | string |
"RouteBased" |
no |
| vpn_with_certificate | Set to false to prevent the module from creating any resources. | bool |
false |
no |
| Name | Description |
|---|---|
| local_network_gw_connection_id | The ID of the Virtual Network Gateway Connection. |
| local_network_gw_id | The ID of the Local Network Gateway. |
| vpn_gw_id | The ID of the Virtual Network Gateway. |
| vpn_gw_id_certificate | The ID of the Virtual Network Gateway. |
In this module testing is performed with terratest and it creates a small piece of infrastructure, matches the output like ARN, ID and Tags name etc and destroy infrastructure in your AWS account. This testing is written in GO, so you need a GO environment in your system.
You need to run the following command in the testing folder:
go test -run TestIf you come accross a bug or have any feedback, please log it in our issue tracker, or feel free to drop us an email at [email protected].
If you have found it worth your time, go ahead and give us a ★ on our GitHub!
At CloudDrove, we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering.
We are The Cloud Experts!
We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.