diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
deleted file mode 100644
index 7607d47..0000000
--- a/.github/workflows/snyk.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
----
-name: snyk
-
-on: # yamllint disable-line rule:truthy
- push:
- branches:
- - "**" # matches every branch
- - "!main" # excludes main
- pull_request:
- branches:
- - main
-
-jobs:
- security:
- runs-on: ubuntu-latest
- name: snyk
- steps:
- - name: checkout
- uses: actions/checkout@v3
-
- - name: Vulnerability scan
- uses: snyk/actions/iac@master
- with:
- command: monitor
- args: --severity-threshold=low
-
- - name: Set up Node 18
- uses: actions/setup-node@v3
- with:
- node-version: 18
-
- - name: install Snyk CLI
- run: npm install -g snyk
-
- - name: snyk monitor
- run: snyk iac test --report --severity-threshold=medium
- env:
- SNYK_TOKEN: ${{ secrets.ARC_SNYK_TOKEN }}
diff --git a/.gitignore b/.gitignore
index 3150c4a..9ddbcc5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,4 @@ terraform.tfvars
.idea
.external_momdules
*.xml
+.DS_Store
diff --git a/README.md b/README.md
index 9c63835..cafbd04 100644
--- a/README.md
+++ b/README.md
@@ -54,7 +54,7 @@ module "this" {
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.4, < 2.0.0 |
-| [aws](#requirement\_aws) | >= 4.0, < 6.0 |
+| [aws](#requirement\_aws) | >= 5.0, < 7.0 |
## Providers
@@ -75,11 +75,11 @@ No resources.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [client\_vpn\_config](#input\_client\_vpn\_config) | VPN configuration options including certs and vpn settings | object({
create = optional(bool, false)
# certs
server_certificate_data = optional(object({
create = optional(bool, true)
common_name = string
organization = string
allowed_uses = optional(list(string), [
"key_encipherment",
"digital_signature",
"server_auth"
])
ca_cert_pem = string
ca_private_key_pem = string
certificate_arn = optional(string, null)
}))
# vpn settings
iam_saml_provider_enabled = optional(bool, false)
iam_saml_provider_name = optional(string, null)
saml_metadata_document_content = optional(string, null)
client_cidr_block = string
split_tunnel = optional(bool, true)
self_service_portal = optional(string, "disabled")
dns_servers = optional(list(string), ["1.1.1.1", "1.0.0.1"])
# logging options
log_options = optional(object({
enabled = bool
cloudwatch_log_stream = optional(string, null)
cloudwatch_log_group = optional(string, null)
}), {
enabled = false
})
# authentication options
authentication_options = list(object({
active_directory_id = optional(string, null)
root_certificate_chain_arn = optional(string, null)
saml_provider_arn = optional(string, null)
self_service_saml_provider_arn = optional(string, null)
type = string
}))
transport_protocol = optional(string, "tcp")
# security and network associations
security_group_data = optional(object({
client_vpn_additional_security_group_ids = optional(list(string), [])
ingress_rules = list(object({
description = optional(string, "")
from_port = number
to_port = number
protocol = any
cidr_blocks = optional(list(string), [])
security_group_ids = optional(list(string), [])
ipv6_cidr_blocks = optional(list(string), [])
}))
egress_rules = list(object({
description = optional(string, "")
from_port = number
to_port = number
protocol = any
cidr_blocks = optional(list(string), [])
security_group_ids = optional(list(string), [])
ipv6_cidr_blocks = optional(list(string), [])
}))
}),
{
ingress_rules = [
{
description = "VPN ingress to 443"
from_port = 443
to_port = 443
protocol = "tcp"
}
]
egress_rules = [
{
description = "VPN egress to internet"
from_port = 0
to_port = 0
protocol = -1
cidr_blocks = ["0.0.0.0/0"]
}
]
}
)
subnet_ids = list(string)
# authorization options
authorization_options = map(object({
target_network_cidr = string
access_group_id = optional(string, null)
authorize_all_groups = optional(bool, true)
}))
}) | {
"authentication_options": null,
"authorization_options": null,
"client_cidr_block": null,
"create": false,
"subnet_ids": []
} | no |
+| [client\_vpn\_config](#input\_client\_vpn\_config) | VPN configuration options including certs and vpn settings | object({
create = optional(bool, false)
# certs
server_certificate_data = optional(object({
create = optional(bool, true)
common_name = string
organization = string
allowed_uses = optional(list(string), [
"key_encipherment",
"digital_signature",
"server_auth"
])
ca_cert_pem = string
ca_private_key_pem = string
certificate_arn = optional(string, null)
}))
# vpn settings
iam_saml_provider_enabled = optional(bool, false)
iam_saml_provider_name = optional(string, null)
saml_metadata_document_content = optional(string, null)
client_cidr_block = string
split_tunnel = optional(bool, true)
self_service_portal = optional(string, "disabled")
dns_servers = optional(list(string), ["1.1.1.1", "1.0.0.1"])
# logging options
log_options = optional(object({
enabled = bool
cloudwatch_log_stream = optional(string, null)
cloudwatch_log_group = optional(string, null)
}), {
enabled = false
})
# authentication options
authentication_options = list(object({
active_directory_id = optional(string, null)
root_certificate_chain_arn = optional(string, null)
saml_provider_arn = optional(string, null)
self_service_saml_provider_arn = optional(string, null)
type = string
}))
transport_protocol = optional(string, "tcp")
# security and network associations
security_group_data = optional(object({
client_vpn_additional_security_group_ids = optional(list(string), [])
ingress_rules = list(object({
description = optional(string, "")
from_port = number
to_port = number
protocol = any
cidr_blocks = optional(list(string), [])
security_group_ids = optional(list(string), [])
ipv6_cidr_blocks = optional(list(string), [])
}))
egress_rules = list(object({
description = optional(string, "")
from_port = number
to_port = number
protocol = any
cidr_blocks = optional(list(string), [])
security_group_ids = optional(list(string), [])
ipv6_cidr_blocks = optional(list(string), [])
}))
}),
{
ingress_rules = [
{
description = "VPN ingress to 443"
from_port = 443
to_port = 443
protocol = "tcp"
}
]
egress_rules = [
{
description = "VPN egress to internet"
from_port = 0
to_port = 0
protocol = -1
cidr_blocks = ["0.0.0.0/0"]
}
]
}
)
subnet_ids = list(string)
# authorization options
authorization_options = map(object({
target_network_cidr = string
access_group_id = optional(string, null)
authorize_all_groups = optional(bool, true)
}))
}) | {
"authentication_options": null,
"authorization_options": null,
"client_cidr_block": null,
"create": false,
"subnet_ids": []
} | no |
| [environment](#input\_environment) | Environmenr name | `string` | n/a | yes |
| [name](#input\_name) | Name of Client VPN or Site to site VPN | `string` | n/a | yes |
| [namespace](#input\_namespace) | Namespace name | `string` | n/a | yes |
-| [site\_to\_site\_vpn\_config](#input\_site\_to\_site\_vpn\_config) | Configuration for AWS VPN setup combining customer gateway, VPN gateway, and VPN connection configurations. This structure provides a comprehensive approach to defining all necessary parameters for establishing a Site-to-Site VPN. | object({
create = optional(bool, false)
customer_gateway = object({
bgp_asn = optional(number, 65000) # The Border Gateway Protocol (BGP) Autonomous System Number (ASN) Value must be in 1 - 4294967294 range.
certificate_arn = optional(string, null) # The Amazon Resource Name (ARN) for the customer gateway certificate.
device_name = optional(string, null) # A name for the customer gateway device.
ip_address = string # The IP address of the customer gateway
type = optional(string, "ipsec.1") # The type of VPN connection (e.g., 'ipsec.1')
})
vpn_gateway = object({
create = optional(bool, true)
vpc_id = string # The VPC ID to create the VPN gateway in.
amazon_side_asn = optional(number, null) # The Autonomous System Number (ASN) for the Amazon side of the gateway.
availability_zone = optional(string, null) # The Availability Zone for the VPN gateway.
route_table_ids = optional(list(string), []) # This resource should not be used with a route table that has the propagating_vgws argument set. If that argument is set, any route propagation not explicitly listed in its value will be removed.
})
vpn_connection = object({
transit_gateway_id = optional(string, null) # The ID of the transit gateway
static_routes_only = optional(bool, false) # If true, only static routes are used
enable_acceleration = optional(bool, null) # (Optional, Default false) Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
local_ipv4_network_cidr = optional(string, "0.0.0.0/0") # The IPv4 CIDR on the customer gateway side
local_ipv6_network_cidr = optional(string, null) # The IPv6 CIDR on the customer gateway side "::/0"
outside_ip_address_type = optional(string, "PublicIpv4") # Public or Private S2S VPN
remote_ipv4_network_cidr = optional(string, "0.0.0.0/0") # The IPv4 CIDR on the AWS side
remote_ipv6_network_cidr = optional(string, null) # The IPv6 CIDR on the AWS side "::/0"
transport_transit_gateway_attachment_id = optional(string, null) # Transit Gateway attachment ID (required for PrivateIpv4)
tunnel_config = object({
tunnel1 = object({
inside_cidr = string # CIDR block of the first tunnel
preshared_key = optional(string, null) # Pre-shared key for the first tunnel
phase1_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 1 encryption algorithms for tunnel 1
phase2_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 2 encryption algorithms for tunnel 1
phase1_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 1 integrity algorithms for tunnel 1
phase2_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 2 integrity algorithms for tunnel 1
log_group_arn = optional(string, null)
log_group_kms_arn = optional(string, null) # null - log disabled
log_enabled = optional(bool, false)
log_output_format = optional(string, "json")
log_retention_in_days = optional(number, 7)
})
tunnel2 = object({
inside_cidr = string # CIDR block of the second tunnel
preshared_key = optional(string, null) # Pre-shared key for the second tunnel
phase1_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 1 encryption algorithms for tunnel 2
phase2_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 2 encryption algorithms for tunnel 2
phase1_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 1 integrity algorithms for tunnel 2
phase2_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 2 integrity algorithms for tunnel 2
log_enabled = optional(bool, false)
log_group_arn = optional(string, null)
log_group_kms_arn = optional(string, null)
log_output_format = optional(string, "json")
log_retention_in_days = optional(number, 7)
})
})
# VPN routes configuration (only for static routes)
routes = optional(list(object({
destination_cidr_block = string # The CIDR block to route through the VPN
})), [])
})
}) | {
"create": false,
"customer_gateway": null,
"vpn_connection": null,
"vpn_gateway": null
} | no |
+| [site\_to\_site\_vpn\_config](#input\_site\_to\_site\_vpn\_config) | Configuration for AWS VPN setup combining customer gateway, VPN gateway, and VPN connection configurations. This structure provides a comprehensive approach to defining all necessary parameters for establishing a Site-to-Site VPN. | object({
create = optional(bool, false)
customer_gateway = object({
bgp_asn = optional(number, 65000) # The Border Gateway Protocol (BGP) Autonomous System Number (ASN) Value must be in 1 - 4294967294 range.
certificate_arn = optional(string, null) # The Amazon Resource Name (ARN) for the customer gateway certificate.
device_name = optional(string, null) # A name for the customer gateway device.
ip_address = string # The IP address of the customer gateway
type = optional(string, "ipsec.1") # The type of VPN connection (e.g., 'ipsec.1')
})
vpn_gateway = object({
create = optional(bool, true)
vpc_id = string # The VPC ID to create the VPN gateway in.
amazon_side_asn = optional(number, null) # The Autonomous System Number (ASN) for the Amazon side of the gateway.
availability_zone = optional(string, null) # The Availability Zone for the VPN gateway.
route_table_ids = optional(list(string), []) # This resource should not be used with a route table that has the propagating_vgws argument set. If that argument is set, any route propagation not explicitly listed in its value will be removed.
})
vpn_connection = object({
transit_gateway_id = optional(string, null) # The ID of the transit gateway
vpn_gateway_id = optional(string, null) # The ID of the Virtual Private Gateway
static_routes_only = optional(bool, false) # If true, only static routes are used
enable_acceleration = optional(bool, null) # (Optional, Default false) Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
local_ipv4_network_cidr = optional(string, "0.0.0.0/0") # The IPv4 CIDR on the customer gateway side
local_ipv6_network_cidr = optional(string, null) # The IPv6 CIDR on the customer gateway side
outside_ip_address_type = optional(string, "PublicIpv4") # Public or Private S2S VPN
remote_ipv4_network_cidr = optional(string, "0.0.0.0/0") # The IPv4 CIDR on the AWS side
remote_ipv6_network_cidr = optional(string, null) # The IPv6 CIDR on the AWS side
transport_transit_gateway_attachment_id = optional(string, null) # Transit Gateway attachment ID (required for PrivateIpv4)
tunnel_inside_ip_version = optional(string, "ipv4") # IPv4 or IPv6 traffic processing
tunnel_config = object({
tunnel1 = object({
inside_cidr = optional(string, null) # CIDR block of the first tunnel
inside_ipv6_cidr = optional(string, null) # IPv6 CIDR block of the first tunnel
preshared_key = optional(string, null) # Pre-shared key for the first tunnel
dpd_timeout_action = optional(string, "clear") # DPD timeout action: clear, none, restart
dpd_timeout_seconds = optional(number, 30) # DPD timeout in seconds (>=30)
enable_tunnel_lifecycle_control = optional(bool, false) # Turn on/off tunnel endpoint lifecycle control
ike_versions = optional(list(string), ["ikev1", "ikev2"]) # IKE versions: ikev1, ikev2
phase1_dh_group_numbers = optional(list(number), [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]) # Phase 1 DH group numbers
phase1_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 1 encryption algorithms
phase1_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 1 integrity algorithms
phase1_lifetime_seconds = optional(number, 28800) # Phase 1 lifetime (900-28800)
phase2_dh_group_numbers = optional(list(number), [2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]) # Phase 2 DH group numbers
phase2_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 2 encryption algorithms
phase2_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 2 integrity algorithms
phase2_lifetime_seconds = optional(number, 3600) # Phase 2 lifetime (900-3600)
rekey_fuzz_percentage = optional(number, 100) # Rekey fuzz percentage (0-100)
rekey_margin_time_seconds = optional(number, 540) # Rekey margin time (60 to half of phase2_lifetime)
replay_window_size = optional(number, 1024) # Replay window size (64-2048)
startup_action = optional(string, "add") # Startup action: add, start
log_enabled = optional(bool, false) # Enable VPN tunnel logging
log_group_arn = optional(string, null) # CloudWatch log group ARN
log_group_kms_arn = optional(string, null) # KMS key for log encryption
log_output_format = optional(string, "json") # Log format: json, text
log_retention_in_days = optional(number, 7) # Log retention period
})
tunnel2 = object({
inside_cidr = optional(string, null) # CIDR block of the second tunnel
inside_ipv6_cidr = optional(string, null) # IPv6 CIDR block of the second tunnel
preshared_key = optional(string, null) # Pre-shared key for the second tunnel
dpd_timeout_action = optional(string, "clear") # DPD timeout action: clear, none, restart
dpd_timeout_seconds = optional(number, 30) # DPD timeout in seconds (>=30)
enable_tunnel_lifecycle_control = optional(bool, false) # Turn on/off tunnel endpoint lifecycle control
ike_versions = optional(list(string), ["ikev1", "ikev2"]) # IKE versions: ikev1, ikev2
phase1_dh_group_numbers = optional(list(number), [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]) # Phase 1 DH group numbers
phase1_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 1 encryption algorithms
phase1_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 1 integrity algorithms
phase1_lifetime_seconds = optional(number, 28800) # Phase 1 lifetime (900-28800)
phase2_dh_group_numbers = optional(list(number), [2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]) # Phase 2 DH group numbers
phase2_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 2 encryption algorithms
phase2_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 2 integrity algorithms
phase2_lifetime_seconds = optional(number, 3600) # Phase 2 lifetime (900-3600)
rekey_fuzz_percentage = optional(number, 100) # Rekey fuzz percentage (0-100)
rekey_margin_time_seconds = optional(number, 540) # Rekey margin time (60 to half of phase2_lifetime)
replay_window_size = optional(number, 1024) # Replay window size (64-2048)
startup_action = optional(string, "add") # Startup action: add, start
log_enabled = optional(bool, false) # Enable VPN tunnel logging
log_group_arn = optional(string, null) # CloudWatch log group ARN
log_group_kms_arn = optional(string, null) # KMS key for log encryption
log_output_format = optional(string, "json") # Log format: json, text
log_retention_in_days = optional(number, 7) # Log retention period
})
})
# VPN routes configuration (only for static routes)
routes = optional(list(object({
destination_cidr_block = string # The CIDR block to route through the VPN
})), [])
})
}) | {
"create": false,
"customer_gateway": null,
"vpn_connection": null,
"vpn_gateway": null
} | no |
| [tags](#input\_tags) | Default tags to apply to every applicable resource | `map(string)` | n/a | yes |
| [vpc\_id](#input\_vpc\_id) | The ID of the target network VPC | `string` | n/a | yes |
diff --git a/examples/client-vpn/README.md b/examples/client-vpn/README.md
index 7709f08..952a595 100644
--- a/examples/client-vpn/README.md
+++ b/examples/client-vpn/README.md
@@ -6,7 +6,7 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3, < 2.0.0 |
-| [aws](#requirement\_aws) | >= 4.0 |
+| [aws](#requirement\_aws) | >= 5.0, < 7.0 |
## Providers
diff --git a/examples/client-vpn/main.tf b/examples/client-vpn/main.tf
index 6f42b6b..55d74e5 100644
--- a/examples/client-vpn/main.tf
+++ b/examples/client-vpn/main.tf
@@ -7,7 +7,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.0"
+ version = ">= 5.0, < 7.0"
}
}
}
diff --git a/examples/site-to-site-vpn/.terraform.lock.hcl b/examples/site-to-site-vpn/.terraform.lock.hcl
index a68903a..8ac7685 100644
--- a/examples/site-to-site-vpn/.terraform.lock.hcl
+++ b/examples/site-to-site-vpn/.terraform.lock.hcl
@@ -2,48 +2,64 @@
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
- version = "5.11.0"
- constraints = ">= 3.0.0, >= 4.0.0"
+ version = "5.100.0"
+ constraints = ">= 4.0.0, >= 5.0.0, < 6.0.0, < 7.0.0"
hashes = [
- "h1:OyEBhYcTPChBb0gooSlLIcrxakh72qAN+Sd8Oo12uoc=",
- "h1:Wo6WCPXNnbyeRp57Jvlp7VBm9acVAAg6jVmFRU2IWjk=",
- "h1:fe40QyKVicffeFFfepqSFanao0O3ybZMiR7sWUmXNYw=",
- "zh:2913af44f9b584f756e5548d5ddc5a251c6d68a7fcd7c41d1418a800a94ef113",
- "zh:31d2bfa84608b74ff5896f41b09e5927d7c37d18875277a51dcd75a1fea3f909",
- "zh:8538ff18e3b4822178e793f06764efdbb84c62227c1051af7d2409ab7be37bfc",
- "zh:8a9295e623327613fc02a6994e73c61b9d0d195bf6fabdb31ee9fd0e6778f62b",
+ "h1:Ijt7pOlB7Tr7maGQIqtsLFbl7pSMIj06TVdkoSBcYOw=",
+ "zh:054b8dd49f0549c9a7cc27d159e45327b7b65cf404da5e5a20da154b90b8a644",
+ "zh:0b97bf8d5e03d15d83cc40b0530a1f84b459354939ba6f135a0086c20ebbe6b2",
+ "zh:1589a2266af699cbd5d80737a0fe02e54ec9cf2ca54e7e00ac51c7359056f274",
+ "zh:6330766f1d85f01ae6ea90d1b214b8b74cc8c1badc4696b165b36ddd4cc15f7b",
+ "zh:7c8c2e30d8e55291b86fcb64bdf6c25489d538688545eb48fd74ad622e5d3862",
+ "zh:99b1003bd9bd32ee323544da897148f46a527f622dc3971af63ea3e251596342",
"zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
- "zh:a65877248951eadf0d16a3260e85f6b178645da7f1897bc7bda6f12fdbec8e47",
- "zh:a70772851e2c87cc1e10c35389718a544746adc4acbbed129243c0972c367fc6",
- "zh:b10ca631318f8d1d9a2baa318139bc9e545e51efaf677afece173badce75b44c",
- "zh:ca2a5698c33158549fa084ad601610eae94498cba445458391b507da22355402",
- "zh:cdbfc4d64161561bfbcaee5d9b078077ed986131a1eab32ff30e71be09037eec",
- "zh:ce499f93835bf3d28c13ba98a0a220ff541a827fb400fa931601a375b907b56d",
- "zh:da6af610e66e96280a299071a698568b505c2456bb15c906304d6f39578c72e3",
- "zh:e42714e085126c10d8f29664143f97d771b6cc6887d27cdf6c4007ab12af4646",
- "zh:e86dd0c561c73512acba69f55041adfc04d0467f592f52337a7ac600fbc93680",
- "zh:f5da95bbd44809534c6678e9b1ae0b390331a5619f2ae353c6b88e96ae855cc0",
+ "zh:9f8b909d3ec50ade83c8062290378b1ec553edef6a447c56dadc01a99f4eaa93",
+ "zh:aaef921ff9aabaf8b1869a86d692ebd24fbd4e12c21205034bb679b9caf883a2",
+ "zh:ac882313207aba00dd5a76dbd572a0ddc818bb9cbf5c9d61b28fe30efaec951e",
+ "zh:bb64e8aff37becab373a1a0cc1080990785304141af42ed6aa3dd4913b000421",
+ "zh:dfe495f6621df5540d9c92ad40b8067376350b005c637ea6efac5dc15028add4",
+ "zh:f0ddf0eaf052766cfe09dea8200a946519f653c384ab4336e2a4a64fdd6310e9",
+ "zh:f1b7e684f4c7ae1eed272b6de7d2049bb87a0275cb04dbb7cda6636f600699c9",
+ "zh:ff461571e3f233699bf690db319dfe46aec75e58726636a0d97dd9ac6e32fb70",
+ ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+ version = "2.5.2"
+ constraints = "2.5.2"
+ hashes = [
+ "h1:IyFbOIO6mhikFNL/2h1iZJ6kyN3U00jgkpCLUCThAfE=",
+ "zh:136299545178ce281c56f36965bf91c35407c11897f7082b3b983d86cb79b511",
+ "zh:3b4486858aa9cb8163378722b642c57c529b6c64bfbfc9461d940a84cd66ebea",
+ "zh:4855ee628ead847741aa4f4fc9bed50cfdbf197f2912775dd9fe7bc43fa077c0",
+ "zh:4b8cd2583d1edcac4011caafe8afb7a95e8110a607a1d5fb87d921178074a69b",
+ "zh:52084ddaff8c8cd3f9e7bcb7ce4dc1eab00602912c96da43c29b4762dc376038",
+ "zh:71562d330d3f92d79b2952ffdda0dad167e952e46200c767dd30c6af8d7c0ed3",
+ "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+ "zh:805f81ade06ff68fa8b908d31892eaed5c180ae031c77ad35f82cb7a74b97cf4",
+ "zh:8b6b3ebeaaa8e38dd04e56996abe80db9be6f4c1df75ac3cccc77642899bd464",
+ "zh:ad07750576b99248037b897de71113cc19b1a8d0bc235eb99173cc83d0de3b1b",
+ "zh:b9f1c3bfadb74068f5c205292badb0661e17ac05eb23bfe8bd809691e4583d0e",
+ "zh:cc4cbcd67414fefb111c1bf7ab0bc4beb8c0b553d01719ad17de9a047adff4d1",
]
}
provider "registry.terraform.io/hashicorp/tls" {
- version = "4.0.4"
- constraints = ">= 4.0.0"
+ version = "4.0.6"
+ constraints = "4.0.6"
hashes = [
- "h1:GZcFizg5ZT2VrpwvxGBHQ/hO9r6g0vYdQqx3bFD3anY=",
- "h1:Wd3RqmQW60k2QWPN4sK5CtjGuO1d+CRNXgC+D4rKtXc=",
- "h1:pe9vq86dZZKCm+8k1RhzARwENslF3SXb9ErHbQfgjXU=",
- "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55",
- "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848",
- "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be",
- "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5",
- "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe",
- "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e",
- "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48",
- "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8",
- "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60",
- "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e",
- "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316",
+ "h1:n3M50qfWfRSpQV9Pwcvuse03pEizqrmYEryxKky4so4=",
+ "zh:10de0d8af02f2e578101688fd334da3849f56ea91b0d9bd5b1f7a243417fdda8",
+ "zh:37fc01f8b2bc9d5b055dc3e78bfd1beb7c42cfb776a4c81106e19c8911366297",
+ "zh:4578ca03d1dd0b7f572d96bd03f744be24c726bfd282173d54b100fd221608bb",
+ "zh:6c475491d1250050765a91a493ef330adc24689e8837a0f07da5a0e1269e11c1",
+ "zh:81bde94d53cdababa5b376bbc6947668be4c45ab655de7aa2e8e4736dfd52509",
+ "zh:abdce260840b7b050c4e401d4f75c7a199fafe58a8b213947a258f75ac18b3e8",
+ "zh:b754cebfc5184873840f16a642a7c9ef78c34dc246a8ae29e056c79939963c7a",
+ "zh:c928b66086078f9917aef0eec15982f2e337914c5c4dbc31dd4741403db7eb18",
+ "zh:cded27bee5f24de6f2ee0cfd1df46a7f88e84aaffc2ecbf3ff7094160f193d50",
+ "zh:d65eb3867e8f69aaf1b8bb53bd637c99c6b649ba3db16ded50fa9a01076d1a27",
+ "zh:ecb0c8b528c7a619fa71852bb3fb5c151d47576c5aab2bf3af4db52588722eeb",
"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
]
}
diff --git a/examples/site-to-site-vpn/README.md b/examples/site-to-site-vpn/README.md
index 7a39049..aa99963 100644
--- a/examples/site-to-site-vpn/README.md
+++ b/examples/site-to-site-vpn/README.md
@@ -6,13 +6,13 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3, < 2.0.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.0, < 7.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 5.11.0 |
+| [aws](#provider\_aws) | 5.100.0 |
## Modules
@@ -25,6 +25,7 @@
| Name | Type |
|------|------|
+| [aws_route_tables.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source |
| [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
## Inputs
diff --git a/examples/site-to-site-vpn/main.tf b/examples/site-to-site-vpn/main.tf
index ca0d3c0..847839f 100644
--- a/examples/site-to-site-vpn/main.tf
+++ b/examples/site-to-site-vpn/main.tf
@@ -7,7 +7,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.0, < 7.0"
}
}
}
@@ -36,11 +36,24 @@ data "aws_vpc" "this" {
filter {
name = "tag:Name"
values = [
- "aws-vpc-test-iac"
+ "arc-poc-vpc"
]
}
}
+# Fetch all route tables in the VPC
+data "aws_route_tables" "private" {
+ filter {
+ name = "vpc-id"
+ values = [data.aws_vpc.this.id]
+ }
+
+ filter {
+ name = "tag:Type"
+ values = ["private"]
+ }
+}
+
################################################################################
## Site to Site VPN
################################################################################
@@ -48,7 +61,7 @@ module "vpn" {
source = "../../"
#version = "1.0.0" # pin the correct version
- name = "${var.namespace}-${var.environment}-vpn-example"
+ name = "${var.namespace}-${var.environment}-site-to-site-vpn-example"
namespace = var.namespace
environment = var.environment
vpc_id = data.aws_vpc.this.id
@@ -63,12 +76,11 @@ module "vpn" {
vpn_gateway = {
vpc_id = data.aws_vpc.this.id
- route_table_ids = ["rtb-0bacb41a2947c7b8c", "rtb-0362a413a6bdaca0e"]
+ route_table_ids = data.aws_route_tables.private.ids
}
vpn_connection = {
- static_routes_only = true
-
+ static_routes_only = true
local_ipv4_network_cidr = "10.3.0.0/16"
remote_ipv4_network_cidr = "10.0.0.0/16"
@@ -77,12 +89,14 @@ module "vpn" {
inside_cidr = null
log_enabled = true
log_retention_in_days = 7
+ ike_versions = ["ikev2"]
}
tunnel2 = {
inside_cidr = null # CIDR block of the second tunnel
log_enabled = true
log_retention_in_days = 7
+ ike_versions = ["ikev2"]
}
}
diff --git a/examples/site-to-site-vpn/outputs.tf b/examples/site-to-site-vpn/outputs.tf
index 102081d..c19992c 100644
--- a/examples/site-to-site-vpn/outputs.tf
+++ b/examples/site-to-site-vpn/outputs.tf
@@ -1,14 +1,14 @@
output "vpn_gateway_id" {
- value = module.vpn.vpn_gateway_id
+ value = nonsensitive(module.vpn.vpn_gateway_id)
description = "The VPN Gateway ID"
}
output "site_to_site_vpn_id" {
- value = module.vpn.site_to_site_vpn_id
+ value = nonsensitive(module.vpn.site_to_site_vpn_id)
description = "The site to site vpn ID"
}
output "customer_gateway_id" {
- value = module.vpn.customer_gateway_id
+ value = nonsensitive(module.vpn.customer_gateway_id)
description = "Customer Gateway ID"
}
diff --git a/modules/site-to-site-vpn/local.tf b/modules/site-to-site-vpn/local.tf
index e46920a..889b762 100644
--- a/modules/site-to-site-vpn/local.tf
+++ b/modules/site-to-site-vpn/local.tf
@@ -1,3 +1,5 @@
locals {
- prefix = "${var.namespace}-${var.environment}"
+ prefix = "${var.namespace}-${var.environment}"
+ vpn_routes = nonsensitive(var.vpn_connection_config.routes)
+ vpn_gateway_route_tables = nonsensitive(var.vpn_gateway_config.route_table_ids)
}
diff --git a/modules/site-to-site-vpn/main.tf b/modules/site-to-site-vpn/main.tf
index f62fd60..a0830db 100644
--- a/modules/site-to-site-vpn/main.tf
+++ b/modules/site-to-site-vpn/main.tf
@@ -30,33 +30,61 @@ resource "aws_vpn_gateway" "this" {
# Main VPN connection resource
resource "aws_vpn_connection" "this" {
- customer_gateway_id = aws_customer_gateway.this.id
- type = aws_customer_gateway.this.type
- vpn_gateway_id = aws_vpn_gateway.this[0].id
- transit_gateway_id = var.vpn_connection_config.transit_gateway_id
- static_routes_only = var.vpn_connection_config.static_routes_only
- enable_acceleration = var.vpn_connection_config.enable_acceleration
-
- tunnel1_inside_cidr = var.vpn_connection_config.tunnel_config.tunnel1.inside_cidr
- tunnel1_preshared_key = var.vpn_connection_config.tunnel_config.tunnel1.preshared_key
- tunnel1_phase1_encryption_algorithms = var.vpn_connection_config.tunnel_config.tunnel1.phase1_encryption_algorithms
- tunnel1_phase2_encryption_algorithms = var.vpn_connection_config.tunnel_config.tunnel1.phase2_encryption_algorithms
- tunnel1_phase1_integrity_algorithms = var.vpn_connection_config.tunnel_config.tunnel1.phase1_integrity_algorithms
- tunnel1_phase2_integrity_algorithms = var.vpn_connection_config.tunnel_config.tunnel1.phase2_integrity_algorithms
-
- tunnel2_inside_cidr = var.vpn_connection_config.tunnel_config.tunnel2.inside_cidr
- tunnel2_preshared_key = var.vpn_connection_config.tunnel_config.tunnel2.preshared_key
- tunnel2_phase1_encryption_algorithms = var.vpn_connection_config.tunnel_config.tunnel2.phase1_encryption_algorithms
- tunnel2_phase2_encryption_algorithms = var.vpn_connection_config.tunnel_config.tunnel2.phase2_encryption_algorithms
- tunnel2_phase1_integrity_algorithms = var.vpn_connection_config.tunnel_config.tunnel2.phase1_integrity_algorithms
- tunnel2_phase2_integrity_algorithms = var.vpn_connection_config.tunnel_config.tunnel2.phase2_integrity_algorithms
-
+ customer_gateway_id = aws_customer_gateway.this.id
+ type = aws_customer_gateway.this.type
+ vpn_gateway_id = var.vpn_gateway_config.create ? aws_vpn_gateway.this[0].id : var.vpn_connection_config.vpn_gateway_id
+ transit_gateway_id = var.vpn_connection_config.transit_gateway_id
+ static_routes_only = var.vpn_connection_config.static_routes_only
+ enable_acceleration = var.vpn_connection_config.enable_acceleration
local_ipv4_network_cidr = var.vpn_connection_config.local_ipv4_network_cidr
local_ipv6_network_cidr = var.vpn_connection_config.local_ipv6_network_cidr
outside_ip_address_type = var.vpn_connection_config.outside_ip_address_type
remote_ipv4_network_cidr = var.vpn_connection_config.remote_ipv4_network_cidr
remote_ipv6_network_cidr = var.vpn_connection_config.remote_ipv6_network_cidr
transport_transit_gateway_attachment_id = var.vpn_connection_config.transport_transit_gateway_attachment_id
+ tunnel_inside_ip_version = var.vpn_connection_config.tunnel_inside_ip_version
+
+ # Tunnel 1 Configuration
+ tunnel1_inside_cidr = var.vpn_connection_config.tunnel_config.tunnel1.inside_cidr
+ tunnel1_inside_ipv6_cidr = var.vpn_connection_config.tunnel_config.tunnel1.inside_ipv6_cidr
+ tunnel1_preshared_key = var.vpn_connection_config.tunnel_config.tunnel1.preshared_key
+ tunnel1_dpd_timeout_action = var.vpn_connection_config.tunnel_config.tunnel1.dpd_timeout_action
+ tunnel1_dpd_timeout_seconds = var.vpn_connection_config.tunnel_config.tunnel1.dpd_timeout_seconds
+ tunnel1_enable_tunnel_lifecycle_control = var.vpn_connection_config.tunnel_config.tunnel1.enable_tunnel_lifecycle_control
+ tunnel1_ike_versions = var.vpn_connection_config.tunnel_config.tunnel1.ike_versions
+ tunnel1_phase1_dh_group_numbers = var.vpn_connection_config.tunnel_config.tunnel1.phase1_dh_group_numbers
+ tunnel1_phase1_encryption_algorithms = var.vpn_connection_config.tunnel_config.tunnel1.phase1_encryption_algorithms
+ tunnel1_phase1_integrity_algorithms = var.vpn_connection_config.tunnel_config.tunnel1.phase1_integrity_algorithms
+ tunnel1_phase1_lifetime_seconds = var.vpn_connection_config.tunnel_config.tunnel1.phase1_lifetime_seconds
+ tunnel1_phase2_dh_group_numbers = var.vpn_connection_config.tunnel_config.tunnel1.phase2_dh_group_numbers
+ tunnel1_phase2_encryption_algorithms = var.vpn_connection_config.tunnel_config.tunnel1.phase2_encryption_algorithms
+ tunnel1_phase2_integrity_algorithms = var.vpn_connection_config.tunnel_config.tunnel1.phase2_integrity_algorithms
+ tunnel1_phase2_lifetime_seconds = var.vpn_connection_config.tunnel_config.tunnel1.phase2_lifetime_seconds
+ tunnel1_rekey_fuzz_percentage = var.vpn_connection_config.tunnel_config.tunnel1.rekey_fuzz_percentage
+ tunnel1_rekey_margin_time_seconds = var.vpn_connection_config.tunnel_config.tunnel1.rekey_margin_time_seconds
+ tunnel1_replay_window_size = var.vpn_connection_config.tunnel_config.tunnel1.replay_window_size
+ tunnel1_startup_action = var.vpn_connection_config.tunnel_config.tunnel1.startup_action
+
+ # Tunnel 2 Configuration
+ tunnel2_inside_cidr = var.vpn_connection_config.tunnel_config.tunnel2.inside_cidr
+ tunnel2_inside_ipv6_cidr = var.vpn_connection_config.tunnel_config.tunnel2.inside_ipv6_cidr
+ tunnel2_preshared_key = var.vpn_connection_config.tunnel_config.tunnel2.preshared_key
+ tunnel2_dpd_timeout_action = var.vpn_connection_config.tunnel_config.tunnel2.dpd_timeout_action
+ tunnel2_dpd_timeout_seconds = var.vpn_connection_config.tunnel_config.tunnel2.dpd_timeout_seconds
+ tunnel2_enable_tunnel_lifecycle_control = var.vpn_connection_config.tunnel_config.tunnel2.enable_tunnel_lifecycle_control
+ tunnel2_ike_versions = var.vpn_connection_config.tunnel_config.tunnel2.ike_versions
+ tunnel2_phase1_dh_group_numbers = var.vpn_connection_config.tunnel_config.tunnel2.phase1_dh_group_numbers
+ tunnel2_phase1_encryption_algorithms = var.vpn_connection_config.tunnel_config.tunnel2.phase1_encryption_algorithms
+ tunnel2_phase1_integrity_algorithms = var.vpn_connection_config.tunnel_config.tunnel2.phase1_integrity_algorithms
+ tunnel2_phase1_lifetime_seconds = var.vpn_connection_config.tunnel_config.tunnel2.phase1_lifetime_seconds
+ tunnel2_phase2_dh_group_numbers = var.vpn_connection_config.tunnel_config.tunnel2.phase2_dh_group_numbers
+ tunnel2_phase2_encryption_algorithms = var.vpn_connection_config.tunnel_config.tunnel2.phase2_encryption_algorithms
+ tunnel2_phase2_integrity_algorithms = var.vpn_connection_config.tunnel_config.tunnel2.phase2_integrity_algorithms
+ tunnel2_phase2_lifetime_seconds = var.vpn_connection_config.tunnel_config.tunnel2.phase2_lifetime_seconds
+ tunnel2_rekey_fuzz_percentage = var.vpn_connection_config.tunnel_config.tunnel2.rekey_fuzz_percentage
+ tunnel2_rekey_margin_time_seconds = var.vpn_connection_config.tunnel_config.tunnel2.rekey_margin_time_seconds
+ tunnel2_replay_window_size = var.vpn_connection_config.tunnel_config.tunnel2.replay_window_size
+ tunnel2_startup_action = var.vpn_connection_config.tunnel_config.tunnel2.startup_action
# VPN Logging configuration
dynamic "tunnel1_log_options" {
@@ -67,9 +95,9 @@ resource "aws_vpn_connection" "this" {
log_output_format = var.vpn_connection_config.tunnel_config.tunnel1.log_output_format
log_enabled = var.vpn_connection_config.tunnel_config.tunnel1.log_enabled
}
-
}
}
+
dynamic "tunnel2_log_options" {
for_each = var.vpn_connection_config.tunnel_config.tunnel2.log_enabled ? [1] : []
content {
@@ -78,7 +106,6 @@ resource "aws_vpn_connection" "this" {
log_output_format = var.vpn_connection_config.tunnel_config.tunnel2.log_output_format
log_enabled = var.vpn_connection_config.tunnel_config.tunnel2.log_enabled
}
-
}
}
@@ -92,7 +119,7 @@ resource "aws_vpn_connection" "this" {
# VPN connection routes (if static routes are enabled)
resource "aws_vpn_connection_route" "this" {
- for_each = { for obj in var.vpn_connection_config.routes : obj.destination_cidr_block => obj }
+ for_each = { for obj in local.vpn_routes : obj.destination_cidr_block => obj }
destination_cidr_block = each.key
vpn_connection_id = aws_vpn_connection.this.id
@@ -114,7 +141,7 @@ resource "aws_cloudwatch_log_group" "tunnel2" {
}
resource "aws_vpn_gateway_route_propagation" "this" {
- for_each = toset(var.vpn_gateway_config.route_table_ids)
+ for_each = toset(local.vpn_gateway_route_tables)
vpn_gateway_id = aws_vpn_gateway.this[0].id
route_table_id = each.value
diff --git a/modules/site-to-site-vpn/outputs.tf b/modules/site-to-site-vpn/outputs.tf
index e3393df..f0fda53 100644
--- a/modules/site-to-site-vpn/outputs.tf
+++ b/modules/site-to-site-vpn/outputs.tf
@@ -12,3 +12,90 @@ output "customer_gateway_id" {
value = aws_customer_gateway.this.id
description = "Customer Gateway ID"
}
+
+output "vpn_connection_arn" {
+ description = "Amazon Resource Name (ARN) of the VPN Connection"
+ value = aws_vpn_connection.this.arn
+}
+
+output "customer_gateway_configuration" {
+ description = "The configuration information for the VPN connection's customer gateway"
+ value = aws_vpn_connection.this.customer_gateway_configuration
+}
+
+output "transit_gateway_attachment_id" {
+ description = "When associated with an EC2 Transit Gateway, the attachment ID"
+ value = aws_vpn_connection.this.transit_gateway_attachment_id
+}
+
+output "tunnel1_address" {
+ description = "The public IP address of the first VPN tunnel"
+ value = aws_vpn_connection.this.tunnel1_address
+}
+
+output "tunnel1_cgw_inside_address" {
+ description = "The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side)"
+ value = aws_vpn_connection.this.tunnel1_cgw_inside_address
+}
+
+output "tunnel1_vgw_inside_address" {
+ description = "The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side)"
+ value = aws_vpn_connection.this.tunnel1_vgw_inside_address
+}
+
+output "tunnel1_preshared_key" {
+ description = "The preshared key of the first VPN tunnel"
+ value = aws_vpn_connection.this.tunnel1_preshared_key
+ sensitive = true
+}
+
+output "tunnel1_bgp_asn" {
+ description = "The bgp asn number of the first VPN tunnel"
+ value = aws_vpn_connection.this.tunnel1_bgp_asn
+}
+
+output "tunnel1_bgp_holdtime" {
+ description = "The bgp holdtime of the first VPN tunnel"
+ value = aws_vpn_connection.this.tunnel1_bgp_holdtime
+}
+
+output "tunnel2_address" {
+ description = "The public IP address of the second VPN tunnel"
+ value = aws_vpn_connection.this.tunnel2_address
+}
+
+output "tunnel2_cgw_inside_address" {
+ description = "The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side)"
+ value = aws_vpn_connection.this.tunnel2_cgw_inside_address
+}
+
+output "tunnel2_vgw_inside_address" {
+ description = "The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side)"
+ value = aws_vpn_connection.this.tunnel2_vgw_inside_address
+}
+
+output "tunnel2_preshared_key" {
+ description = "The preshared key of the second VPN tunnel"
+ value = aws_vpn_connection.this.tunnel2_preshared_key
+ sensitive = true
+}
+
+output "tunnel2_bgp_asn" {
+ description = "The bgp asn number of the second VPN tunnel"
+ value = aws_vpn_connection.this.tunnel2_bgp_asn
+}
+
+output "tunnel2_bgp_holdtime" {
+ description = "The bgp holdtime of the second VPN tunnel"
+ value = aws_vpn_connection.this.tunnel2_bgp_holdtime
+}
+
+output "vgw_telemetry" {
+ description = "Telemetry for the VPN tunnels"
+ value = aws_vpn_connection.this.vgw_telemetry
+}
+
+output "routes" {
+ description = "The static routes associated with the VPN connection"
+ value = aws_vpn_connection.this.routes
+}
diff --git a/modules/site-to-site-vpn/variables.tf b/modules/site-to-site-vpn/variables.tf
index 4872a51..4de7742 100644
--- a/modules/site-to-site-vpn/variables.tf
+++ b/modules/site-to-site-vpn/variables.tf
@@ -50,46 +50,72 @@ variable "vpn_gateway_config" {
variable "vpn_connection_config" {
type = object({
- transit_gateway_id = optional(string, null) # The ID of the transit gateway
- static_routes_only = optional(bool, false) # If true, only static routes are used
- enable_acceleration = optional(bool, null) # (Optional, Supports only EC2 Transit Gateway , Note :- set default as null otherwise we get err : "enable_acceleration": all of `enable_acceleration,transit_gateway_id` must be specified
-
- # New fields for local and remote CIDR blocks, outside IP address type, and transit gateway attachment
+ transit_gateway_id = optional(string, null) # The ID of the transit gateway
+ vpn_gateway_id = optional(string, null) # The ID of the Virtual Private Gateway
+ static_routes_only = optional(bool, false) # If true, only static routes are used
+ enable_acceleration = optional(bool, null) # (Optional, Supports only EC2 Transit Gateway)
local_ipv4_network_cidr = optional(string, "0.0.0.0/0") # The IPv4 CIDR on the customer gateway side
- local_ipv6_network_cidr = optional(string, null) # The IPv6 CIDR on the customer gateway side "::/0"
+ local_ipv6_network_cidr = optional(string, null) # The IPv6 CIDR on the customer gateway side
outside_ip_address_type = optional(string, "PublicIpv4") # Public or Private S2S VPN
remote_ipv4_network_cidr = optional(string, "0.0.0.0/0") # The IPv4 CIDR on the AWS side
- remote_ipv6_network_cidr = optional(string, null) # The IPv6 CIDR on the AWS side "::/0"
+ remote_ipv6_network_cidr = optional(string, null) # The IPv6 CIDR on the AWS side
transport_transit_gateway_attachment_id = optional(string, null) # Transit Gateway attachment ID (required for PrivateIpv4)
+ tunnel_inside_ip_version = optional(string, "ipv4") # IPv4 or IPv6 traffic processing
# Tunnel configuration options
tunnel_config = object({
tunnel1 = object({
- inside_cidr = string # CIDR block of the first tunnel
- preshared_key = optional(string, null) # Pre-shared key for the first tunnel
- phase1_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 1 encryption algorithms for tunnel 1
- phase2_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 2 encryption algorithms for tunnel 1
- phase1_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 1 integrity algorithms for tunnel 1
- phase2_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 2 integrity algorithms for tunnel 1
- log_group_arn = optional(string, null)
- log_group_kms_arn = optional(string, null) # null - log disabled
- log_enabled = optional(bool, false)
- log_output_format = optional(string, "json")
- log_retention_in_days = optional(number, 7)
+ inside_cidr = string # CIDR block of the first tunnel
+ inside_ipv6_cidr = optional(string, null) # IPv6 CIDR block of the first tunnel
+ preshared_key = optional(string, null) # Pre-shared key for the first tunnel
+ dpd_timeout_action = optional(string, "clear") # DPD timeout action: clear, none, restart
+ dpd_timeout_seconds = optional(number, 30) # DPD timeout in seconds (>=30)
+ enable_tunnel_lifecycle_control = optional(bool, false) # Turn on/off tunnel endpoint lifecycle control
+ ike_versions = optional(list(string), ["ikev1", "ikev2"]) # IKE versions: ikev1, ikev2
+ phase1_dh_group_numbers = optional(list(number), [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]) # Phase 1 DH group numbers
+ phase1_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 1 encryption algorithms
+ phase1_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 1 integrity algorithms
+ phase1_lifetime_seconds = optional(number, 28800) # Phase 1 lifetime (900-28800)
+ phase2_dh_group_numbers = optional(list(number), [2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]) # Phase 2 DH group numbers
+ phase2_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 2 encryption algorithms
+ phase2_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 2 integrity algorithms
+ phase2_lifetime_seconds = optional(number, 3600) # Phase 2 lifetime (900-3600)
+ rekey_fuzz_percentage = optional(number, 100) # Rekey fuzz percentage (0-100)
+ rekey_margin_time_seconds = optional(number, 540) # Rekey margin time (60 to half of phase2_lifetime)
+ replay_window_size = optional(number, 1024) # Replay window size (64-2048)
+ startup_action = optional(string, "add") # Startup action: add, start
+ log_enabled = optional(bool, false) # Enable VPN tunnel logging
+ log_group_arn = optional(string, null) # CloudWatch log group ARN
+ log_group_kms_arn = optional(string, null) # KMS key for log encryption
+ log_output_format = optional(string, "json") # Log format: json, text
+ log_retention_in_days = optional(number, 7) # Log retention period
})
tunnel2 = object({
- inside_cidr = string # CIDR block of the second tunnel
- preshared_key = optional(string, null) # Pre-shared key for the second tunnel
- phase1_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 1 encryption algorithms for tunnel 2
- phase2_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 2 encryption algorithms for tunnel 2
- phase1_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 1 integrity algorithms for tunnel 2
- phase2_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 2 integrity algorithms for tunnel 2
- log_enabled = optional(bool, false)
- log_group_arn = optional(string, null)
- log_group_kms_arn = optional(string, null)
- log_output_format = optional(string, "json")
- log_retention_in_days = optional(number, 7)
+ inside_cidr = string # CIDR block of the second tunnel
+ inside_ipv6_cidr = optional(string, null) # IPv6 CIDR block of the second tunnel
+ preshared_key = optional(string, null) # Pre-shared key for the second tunnel
+ dpd_timeout_action = optional(string, "clear") # DPD timeout action: clear, none, restart
+ dpd_timeout_seconds = optional(number, 30) # DPD timeout in seconds (>=30)
+ enable_tunnel_lifecycle_control = optional(bool, false) # Turn on/off tunnel endpoint lifecycle control
+ ike_versions = optional(list(string), ["ikev1", "ikev2"]) # IKE versions: ikev1, ikev2
+ phase1_dh_group_numbers = optional(list(number), [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]) # Phase 1 DH group numbers
+ phase1_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 1 encryption algorithms
+ phase1_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 1 integrity algorithms
+ phase1_lifetime_seconds = optional(number, 28800) # Phase 1 lifetime (900-28800)
+ phase2_dh_group_numbers = optional(list(number), [2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]) # Phase 2 DH group numbers
+ phase2_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 2 encryption algorithms
+ phase2_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 2 integrity algorithms
+ phase2_lifetime_seconds = optional(number, 3600) # Phase 2 lifetime (900-3600)
+ rekey_fuzz_percentage = optional(number, 100) # Rekey fuzz percentage (0-100)
+ rekey_margin_time_seconds = optional(number, 540) # Rekey margin time (60 to half of phase2_lifetime)
+ replay_window_size = optional(number, 1024) # Replay window size (64-2048)
+ startup_action = optional(string, "add") # Startup action: add, start
+ log_enabled = optional(bool, false) # Enable VPN tunnel logging
+ log_group_arn = optional(string, null) # CloudWatch log group ARN
+ log_group_kms_arn = optional(string, null) # KMS key for log encryption
+ log_output_format = optional(string, "json") # Log format: json, text
+ log_retention_in_days = optional(number, 7) # Log retention period
})
})
@@ -111,7 +137,7 @@ variable "vpn_connection_config" {
- `routes`: Optional static routes to add to the VPN connection.
- `tags`: Key-value pairs to tag the VPN connection.
EOT
-
+
}
diff --git a/modules/site-to-site-vpn/version.tf b/modules/site-to-site-vpn/version.tf
index 318aeda..ba4f135 100644
--- a/modules/site-to-site-vpn/version.tf
+++ b/modules/site-to-site-vpn/version.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.0, < 6.0"
+ version = ">= 5.0, < 7.0"
}
}
}
diff --git a/outputs.tf b/outputs.tf
index dd936bc..de708a0 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -16,14 +16,17 @@ output "server_certificate" {
output "vpn_gateway_id" {
value = var.site_to_site_vpn_config.create ? module.aws_site_to_site_vpn[0].vpn_gateway_id : 0
description = "The VPN Gateway ID"
+ sensitive = true
}
output "site_to_site_vpn_id" {
value = var.site_to_site_vpn_config.create ? module.aws_site_to_site_vpn[0].id : null
description = "The site to site vpn ID"
+ sensitive = true
}
output "customer_gateway_id" {
value = var.site_to_site_vpn_config.create ? module.aws_site_to_site_vpn[0].customer_gateway_id : null
description = "Customer Gateway ID"
+ sensitive = true
}
diff --git a/variables.tf b/variables.tf
index b8caef1..0d5c532 100644
--- a/variables.tf
+++ b/variables.tf
@@ -156,44 +156,71 @@ variable "site_to_site_vpn_config" {
})
vpn_connection = object({
- transit_gateway_id = optional(string, null) # The ID of the transit gateway
- static_routes_only = optional(bool, false) # If true, only static routes are used
- enable_acceleration = optional(bool, null) # (Optional, Default false) Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
-
+ transit_gateway_id = optional(string, null) # The ID of the transit gateway
+ vpn_gateway_id = optional(string, null) # The ID of the Virtual Private Gateway
+ static_routes_only = optional(bool, false) # If true, only static routes are used
+ enable_acceleration = optional(bool, null) # (Optional, Default false) Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
local_ipv4_network_cidr = optional(string, "0.0.0.0/0") # The IPv4 CIDR on the customer gateway side
- local_ipv6_network_cidr = optional(string, null) # The IPv6 CIDR on the customer gateway side "::/0"
+ local_ipv6_network_cidr = optional(string, null) # The IPv6 CIDR on the customer gateway side
outside_ip_address_type = optional(string, "PublicIpv4") # Public or Private S2S VPN
remote_ipv4_network_cidr = optional(string, "0.0.0.0/0") # The IPv4 CIDR on the AWS side
- remote_ipv6_network_cidr = optional(string, null) # The IPv6 CIDR on the AWS side "::/0"
+ remote_ipv6_network_cidr = optional(string, null) # The IPv6 CIDR on the AWS side
transport_transit_gateway_attachment_id = optional(string, null) # Transit Gateway attachment ID (required for PrivateIpv4)
+ tunnel_inside_ip_version = optional(string, "ipv4") # IPv4 or IPv6 traffic processing
tunnel_config = object({
tunnel1 = object({
- inside_cidr = string # CIDR block of the first tunnel
- preshared_key = optional(string, null) # Pre-shared key for the first tunnel
- phase1_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 1 encryption algorithms for tunnel 1
- phase2_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 2 encryption algorithms for tunnel 1
- phase1_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 1 integrity algorithms for tunnel 1
- phase2_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 2 integrity algorithms for tunnel 1
- log_group_arn = optional(string, null)
- log_group_kms_arn = optional(string, null) # null - log disabled
- log_enabled = optional(bool, false)
- log_output_format = optional(string, "json")
- log_retention_in_days = optional(number, 7)
+ inside_cidr = optional(string, null) # CIDR block of the first tunnel
+ inside_ipv6_cidr = optional(string, null) # IPv6 CIDR block of the first tunnel
+ preshared_key = optional(string, null) # Pre-shared key for the first tunnel
+ dpd_timeout_action = optional(string, "clear") # DPD timeout action: clear, none, restart
+ dpd_timeout_seconds = optional(number, 30) # DPD timeout in seconds (>=30)
+ enable_tunnel_lifecycle_control = optional(bool, false) # Turn on/off tunnel endpoint lifecycle control
+ ike_versions = optional(list(string), ["ikev1", "ikev2"]) # IKE versions: ikev1, ikev2
+ phase1_dh_group_numbers = optional(list(number), [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]) # Phase 1 DH group numbers
+ phase1_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 1 encryption algorithms
+ phase1_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 1 integrity algorithms
+ phase1_lifetime_seconds = optional(number, 28800) # Phase 1 lifetime (900-28800)
+ phase2_dh_group_numbers = optional(list(number), [2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]) # Phase 2 DH group numbers
+ phase2_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 2 encryption algorithms
+ phase2_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 2 integrity algorithms
+ phase2_lifetime_seconds = optional(number, 3600) # Phase 2 lifetime (900-3600)
+ rekey_fuzz_percentage = optional(number, 100) # Rekey fuzz percentage (0-100)
+ rekey_margin_time_seconds = optional(number, 540) # Rekey margin time (60 to half of phase2_lifetime)
+ replay_window_size = optional(number, 1024) # Replay window size (64-2048)
+ startup_action = optional(string, "add") # Startup action: add, start
+ log_enabled = optional(bool, false) # Enable VPN tunnel logging
+ log_group_arn = optional(string, null) # CloudWatch log group ARN
+ log_group_kms_arn = optional(string, null) # KMS key for log encryption
+ log_output_format = optional(string, "json") # Log format: json, text
+ log_retention_in_days = optional(number, 7) # Log retention period
})
tunnel2 = object({
- inside_cidr = string # CIDR block of the second tunnel
- preshared_key = optional(string, null) # Pre-shared key for the second tunnel
- phase1_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 1 encryption algorithms for tunnel 2
- phase2_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 2 encryption algorithms for tunnel 2
- phase1_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 1 integrity algorithms for tunnel 2
- phase2_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 2 integrity algorithms for tunnel 2
- log_enabled = optional(bool, false)
- log_group_arn = optional(string, null)
- log_group_kms_arn = optional(string, null)
- log_output_format = optional(string, "json")
- log_retention_in_days = optional(number, 7)
+ inside_cidr = optional(string, null) # CIDR block of the second tunnel
+ inside_ipv6_cidr = optional(string, null) # IPv6 CIDR block of the second tunnel
+ preshared_key = optional(string, null) # Pre-shared key for the second tunnel
+ dpd_timeout_action = optional(string, "clear") # DPD timeout action: clear, none, restart
+ dpd_timeout_seconds = optional(number, 30) # DPD timeout in seconds (>=30)
+ enable_tunnel_lifecycle_control = optional(bool, false) # Turn on/off tunnel endpoint lifecycle control
+ ike_versions = optional(list(string), ["ikev1", "ikev2"]) # IKE versions: ikev1, ikev2
+ phase1_dh_group_numbers = optional(list(number), [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]) # Phase 1 DH group numbers
+ phase1_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 1 encryption algorithms
+ phase1_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 1 integrity algorithms
+ phase1_lifetime_seconds = optional(number, 28800) # Phase 1 lifetime (900-28800)
+ phase2_dh_group_numbers = optional(list(number), [2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]) # Phase 2 DH group numbers
+ phase2_encryption_algorithms = optional(list(string), ["AES128", "AES256"]) # Phase 2 encryption algorithms
+ phase2_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256"]) # Phase 2 integrity algorithms
+ phase2_lifetime_seconds = optional(number, 3600) # Phase 2 lifetime (900-3600)
+ rekey_fuzz_percentage = optional(number, 100) # Rekey fuzz percentage (0-100)
+ rekey_margin_time_seconds = optional(number, 540) # Rekey margin time (60 to half of phase2_lifetime)
+ replay_window_size = optional(number, 1024) # Replay window size (64-2048)
+ startup_action = optional(string, "add") # Startup action: add, start
+ log_enabled = optional(bool, false) # Enable VPN tunnel logging
+ log_group_arn = optional(string, null) # CloudWatch log group ARN
+ log_group_kms_arn = optional(string, null) # KMS key for log encryption
+ log_output_format = optional(string, "json") # Log format: json, text
+ log_retention_in_days = optional(number, 7) # Log retention period
})
})
# VPN routes configuration (only for static routes)
diff --git a/version.tf b/version.tf
index 318aeda..ba4f135 100644
--- a/version.tf
+++ b/version.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.0, < 6.0"
+ version = ">= 5.0, < 7.0"
}
}
}