feat: Setting Default AWS VPN Tunnel Options (#5)

tfhartmann · web-flow · commit d263bbc1df26 · 2021-03-22T14:02:10.000-04:00
* feat: Setting Default AWS VPN Tunnel Options This addresses the known issue described in the Google docs for creating an HA VPN Connection with AWS https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-ha-vpn * feat: updating defaults Updating the default tunnel settings. To be slightly more robust. * feat: update DH group to 18 This is the max supported DH group on GCP currently * docs: update docs with correct DH group
diff --git a/HEADER.md b/HEADER.md
@@ -4,6 +4,7 @@ Overview of high-level configurations steps to set up HA VPN with Amazon Web Ser
 * Create the HA VPN gateway and a Cloud Router. This creates 2 public IP addresses on the GCP side.
 * Create two AWS Virtual Private Gateways. This creates 4 public addresses on the AWS side.
 * Create two AWS Site-to-Site VPN connections and customer gateways, one for each AWS Virtual Private Gateway. Specify a non-overlapping link-local Tunnel IP Range for each tunnel, 4 total. For example, 169.254.1.4/30.
+  * Configure AES-256, SHA-2 and DH group 18, [as a combination of single Phase 1 and Phase 2 encryption algorithms, integrity algorithms, and DH group numbers.](https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-ha-vpn)
 * Download the AWS configuration files for the generic device type.
 * Create four VPN tunnels on the HA VPN gateway.
 * Configure BGP sessions on the Cloud Router using the BGP IP addresses from the downloaded AWS configuration files.
diff --git a/README.md b/README.md
@@ -4,6 +4,7 @@ Overview of high-level configurations steps to set up HA VPN with Amazon Web Ser
 * Create the HA VPN gateway and a Cloud Router. This creates 2 public IP addresses on the GCP side.
 * Create two AWS Virtual Private Gateways. This creates 4 public addresses on the AWS side.
 * Create two AWS Site-to-Site VPN connections and customer gateways, one for each AWS Virtual Private Gateway. Specify a non-overlapping link-local Tunnel IP Range for each tunnel, 4 total. For example, 169.254.1.4/30.
+  * Configure AES-256, SHA-2 and DH group 18, [as a combination of single Phase 1 and Phase 2 encryption algorithms, integrity algorithms, and DH group numbers.](https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-ha-vpn)
 * Download the AWS configuration files for the generic device type.
 * Create four VPN tunnels on the HA VPN gateway.
 * Configure BGP sessions on the Cloud Router using the BGP IP addresses from the downloaded AWS configuration files.
@@ -61,6 +62,7 @@ https://cloud.google.com/vpn/docs/how-to/creating-ha-vpn
 |------|-------------|------|---------|:--------:|
 | transit\_gateway\_id | AWS Transit Gateway ID | `string` | n/a | yes |
 | amazon\_side\_asn | BGP ASN Number for the AWS side of the VPN | `number` | `64512` | no |
+| aws\_vpn\_configs | AWS Tunnels Configs for aws\_vpn\_connection. This addresses this [known issue](https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-ha-vpn). | `map(any)` | <pre>{<br>  "dh_group_numbers": [<br>    "18"<br>  ],<br>  "encryption_algorithms": [<br>    "AES256"<br>  ],<br>  "integrity_algorithms": [<br>    "SHA2-256"<br>  ]<br>}</pre> | no |
 | google\_network | Google VPN Network name, can be either a name or a self\_link | `string` | `"default"` | no |
 | google\_side\_asn | BGP ASN Number for the Google side of the VPN | `number` | `65534` | no |
 | router\_advertise\_config | Router custom advertisement configuration, ip\_ranges is a map of address ranges and descriptions. More info can be found here https://www.terraform.io/docs/providers/google/r/compute_router.html#bgp (Default:  null) | <pre>object({<br>    groups    = list(string)<br>    ip_ranges = map(string)<br>    mode      = string<br>  })</pre> | `null` | no |
diff --git a/main.tf b/main.tf
@@ -69,10 +69,10 @@ resource "google_compute_ha_vpn_gateway" "gateway" {
   network  = var.google_network
 }
 
-# Can't loop the cgw because TF erros with : Terraform value depends on resource attributes that cannot be determined
+# Can't loop the cgw because TF errors with : Terraform value depends on resource attributes that cannot be determined
 # until apply, so Terraform cannot predict how many instances will be created.
 # We know for each GW there will always be 2 interfaces so maybe a map of alpha/beta if we want a loop. For now
-# I'm leaving as seperate resources.
+# I'm leaving as separate resources.
 
 resource "aws_customer_gateway" "cgw-alpha" {
   bgp_asn    = var.google_side_asn
@@ -97,19 +97,43 @@ resource "aws_customer_gateway" "cgw-beta" {
 // TODO Track this Issue and implement when ready https://github.com/terraform-providers/terraform-provider-aws/issues/11584
 
 resource "aws_vpn_connection" "vpn-alpha" {
-  customer_gateway_id = aws_customer_gateway.cgw-alpha.id
-  transit_gateway_id  = var.transit_gateway_id
-  type                = aws_customer_gateway.cgw-alpha.type
+  customer_gateway_id                  = aws_customer_gateway.cgw-alpha.id
+  transit_gateway_id                   = var.transit_gateway_id
+  type                                 = aws_customer_gateway.cgw-alpha.type
+  tunnel1_phase1_encryption_algorithms = var.aws_vpn_configs.encryption_algorithms
+  tunnel2_phase1_encryption_algorithms = var.aws_vpn_configs.encryption_algorithms
+  tunnel1_phase1_integrity_algorithms  = var.aws_vpn_configs.integrity_algorithms
+  tunnel2_phase1_integrity_algorithms  = var.aws_vpn_configs.integrity_algorithms
+  tunnel1_phase1_dh_group_numbers      = var.aws_vpn_configs.dh_group_numbers
+  tunnel2_phase1_dh_group_numbers      = var.aws_vpn_configs.dh_group_numbers
+  tunnel1_phase2_encryption_algorithms = var.aws_vpn_configs.encryption_algorithms
+  tunnel2_phase2_encryption_algorithms = var.aws_vpn_configs.encryption_algorithms
+  tunnel1_phase2_integrity_algorithms  = var.aws_vpn_configs.integrity_algorithms
+  tunnel2_phase2_integrity_algorithms  = var.aws_vpn_configs.integrity_algorithms
+  tunnel1_phase2_dh_group_numbers      = var.aws_vpn_configs.dh_group_numbers
+  tunnel2_phase2_dh_group_numbers      = var.aws_vpn_configs.dh_group_numbers
 
   tags = {
     "Name" = "vpn-to-google-alpha-${local.suffix}"
   }
 }
 
 resource "aws_vpn_connection" "vpn-beta" {
-  customer_gateway_id = aws_customer_gateway.cgw-beta.id
-  transit_gateway_id  = var.transit_gateway_id
-  type                = aws_customer_gateway.cgw-beta.type
+  customer_gateway_id                  = aws_customer_gateway.cgw-beta.id
+  transit_gateway_id                   = var.transit_gateway_id
+  type                                 = aws_customer_gateway.cgw-beta.type
+  tunnel1_phase1_encryption_algorithms = var.aws_vpn_configs.encryption_algorithms
+  tunnel2_phase1_encryption_algorithms = var.aws_vpn_configs.encryption_algorithms
+  tunnel1_phase1_integrity_algorithms  = var.aws_vpn_configs.integrity_algorithms
+  tunnel2_phase1_integrity_algorithms  = var.aws_vpn_configs.integrity_algorithms
+  tunnel1_phase1_dh_group_numbers      = var.aws_vpn_configs.dh_group_numbers
+  tunnel2_phase1_dh_group_numbers      = var.aws_vpn_configs.dh_group_numbers
+  tunnel1_phase2_encryption_algorithms = var.aws_vpn_configs.encryption_algorithms
+  tunnel2_phase2_encryption_algorithms = var.aws_vpn_configs.encryption_algorithms
+  tunnel1_phase2_integrity_algorithms  = var.aws_vpn_configs.integrity_algorithms
+  tunnel2_phase2_integrity_algorithms  = var.aws_vpn_configs.integrity_algorithms
+  tunnel1_phase2_dh_group_numbers      = var.aws_vpn_configs.dh_group_numbers
+  tunnel2_phase2_dh_group_numbers      = var.aws_vpn_configs.dh_group_numbers
 
   tags = {
     "Name" = "vpn-to-google-beta-${local.suffix}"
@@ -174,7 +198,7 @@ resource "google_compute_vpn_tunnel" "tunnels" {
   description                     = "Tunnel to AWS - HA VPN interface ${each.key} to AWS interface ${each.value.tunnel_address}"
   router                          = google_compute_router.router.self_link
   ike_version                     = 2
-  shared_secret                   = each.value.shared_secret #local.external_vpn_gateway_interfaces[0].shared_secret #aws_vpn_connection.vpn-alpha.tunnel1_preshared_key
+  shared_secret                   = each.value.shared_secret
   vpn_gateway                     = google_compute_ha_vpn_gateway.gateway.self_link
   vpn_gateway_interface           = each.value.vpn_gateway_interface
   peer_external_gateway           = google_compute_external_vpn_gateway.external_gateway.self_link
@@ -186,7 +210,7 @@ resource "google_compute_router_interface" "interfaces" {
   for_each   = local.external_vpn_gateway_interfaces
   name       = "interface${each.key}-${google_compute_router.router.name}"
   router     = google_compute_router.router.name
-  ip_range   = each.value.cgw_inside_address #"${aws_vpn_connection.vpn-alpha.tunnel1_cgw_inside_address}/30" #"169.254.0.1/30"
+  ip_range   = each.value.cgw_inside_address
   vpn_tunnel = google_compute_vpn_tunnel.tunnels[each.key].name
 }
 
@@ -195,7 +219,7 @@ resource "google_compute_router_peer" "router_peers" {
   for_each        = local.external_vpn_gateway_interfaces
   name            = "peer${each.key}-${google_compute_router.router.name}"
   router          = google_compute_router.router.name
-  peer_ip_address = each.value.vgw_inside_address #aws_vpn_connection.vpn-alpha.tunnel1_vgw_inside_address #"169.254.0.2"
-  peer_asn        = each.value.asn                #aws_vpn_connection.vpn-alpha.tunnel1_bgp_asn # aws_customer_gateway.cgw-alpha.bgp_asn #aws_vpn_connection.vpn-alpha.tunnel1_bgp_asn #64515
+  peer_ip_address = each.value.vgw_inside_address
+  peer_asn        = each.value.asn
   interface       = google_compute_router_interface.interfaces[each.key].name
 }
diff --git a/variables.tf b/variables.tf
@@ -29,6 +29,16 @@ variable "amazon_side_asn" {
   description = "BGP ASN Number for the AWS side of the VPN"
 }
 
+variable "aws_vpn_configs" {
+  type        = map(any)
+  description = "AWS Tunnels Configs for aws_vpn_connection. This addresses this [known issue](https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-ha-vpn)."
+  default = {
+    encryption_algorithms = ["AES256"]
+    integrity_algorithms  = ["SHA2-256"]
+    dh_group_numbers      = ["18"]
+  }
+}
+
 variable "google_side_asn" {
   type        = number
   default     = 65534
