Skip to content

Latest commit

 

History

History

vpn-connection

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
resource-group.tf
resource-group.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

vpn-connection

This module creates following resources.

  • aws_vpn_connection
  • aws_vpn_connection_route (optional)
  • aws_ec2_tag (optional)

Requirements

Name Version
terraform >= 1.12
assert >= 0.16
aws >= 6.12

Providers

Name Version
aws 6.23.0

Modules

Name Source Version
resource_group tedilabs/misc/aws//modules/resource-group ~> 0.12.0

Resources

Name Type
aws_ec2_tag.this resource
aws_vpn_connection.this resource
aws_vpn_connection_route.this resource
aws_customer_gateway.this data source
aws_default_tags.this data source

Inputs

Name Description Type Default Required
customer_gateway (Required) The configuration for the customer gateway of the VPN connection. customer_gateway block as defined below.
(Required) id - The ID of the customer gateway.
(Optional) outside_ip_address_type - Whether the customer gateway device is using a public or private IPv4 address. Valid values are PublicIpv4 and PrivateIpv4. Defaults to PublicIpv4. Configure PrivateIpv4 if you are creating a private IP VPN connection over AWS Direct Connect.
(Optional) transport_transit_gateway_attachment - The attachment ID of the transport transit gateway for the AWS Direct Connect Gateway to be used for the private IP VPN connection. The ID is obtained through a data source only. Required when outside_ip_address_type is set to PrivateIpv4.		 
object({
    id                                   = string
    outside_ip_address_type              = optional(string, "PublicIpv4")
    transport_transit_gateway_attachment = optional(string)
  })
 n/a yes
name (Required) A name for the VPN connection. string n/a yes
acceleration_enabled (Optional) Whether to enable acceleration for the VPN connection. Supports only for a TRANSIT_GATEWAY type target gateway. Defaults to false. bool false no
local_ipv4_cidr (Optional) The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection. Defaults to 0.0.0.0/0. string "0.0.0.0/0" no
local_ipv6_cidr (Optional) The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection. Defaults to ::/0. string "::/0" no
module_tags_enabled (Optional) Whether to create AWS Resource Tags for the module informations. bool true no
region (Optional) The region in which to create the module resources. If not provided, the module resources will be created in the provider's configured region. string null no
remote_ipv4_cidr (Optional) The IPv4 CIDR on the AWS side of the VPN connection. Defaults to 0.0.0.0/0. string "0.0.0.0/0" no
remote_ipv6_cidr (Optional) The IPv6 CIDR on the AWS side of the VPN connection. Defaults to ::/0. string "::/0" no
resource_group (Optional) A configurations of Resource Group for this module. resource_group as defined below.
(Optional) enabled - Whether to create Resource Group to find and group AWS resources which are created by this module. Defaults to true.
(Optional) name - The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with AWS or aws. If not provided, a name will be generated using the module name and instance name.
(Optional) description - The description of Resource Group. Defaults to Managed by Terraform..		 
object({
    enabled     = optional(bool, true)
    name        = optional(string, "")
    description = optional(string, "Managed by Terraform.")
  })
 {} no
routing_type (Optional) A type of routing depend on the make and model of the customer gateway device. Valid values are DYNAMIC and STATIC. Defaults to DYNAMIC.
DYNAMIC - The customer gateway device supports Border Gateway Protocol (BGP).
STATIC - The customer gateway device does not support BGP.		 string "DYNAMIC" no
static_routing_destination_cidrs (Optional) A set of the CIDR blocks associated with the local subnet of the customer data center. set(string) [] no
tags (Optional) A map of tags to add to all resources. map(string) {} no
target_gateway (Optional) The configuration for the target gateway of the VPN connection. target_gateway block as defined below.
(Optional) type - A type of the target gateway. Valid values are TRANSIT_GATEWAY, VPN_GATEWAY, NONE.
(Optional) id - The ID of the EC2 Transit Gateway or the Virtual Private Gateway.		 
object({
    type = optional(string, "NONE")
    id   = optional(string)
  })
 {} no
tunnel1_activity_log (Optional) A configuration of tunnel activity log for the first VPN tunnel. tunnel1_activity_log block as defined below.
(Optional) cloudwatch - A configuration of CloudWatch Logs for tunnel activity log. Tunnel activity log captures log messages for IPsec activity and DPD protocol messages. cloudwatch block as defined below.
(Optional) enabled - Whether to enable sending tunnel activity log messages to CloudWatch Logs. Defaults to false.
(Optional) log_group - The ARN (Amazon Resource Name) of the CloudWatch log group to send logs to.
(Optional) log_format - The log format. Valid values are json and text. Defaults to json.		 
object({
    cloudwatch = optional(object({
      enabled    = optional(bool, false)
      log_group  = optional(string)
      log_format = optional(string, "json")
    }), {}),
  })
 {} no
tunnel1_dpd (Optional) A configuration of DPD (Dead Peer Detection) for the first VPN tunnel. tunnel1_dpd block as defined below.
(Optional) timeout - The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than 30. Defaults to 30.
(Optional) timeout_action - The action to take after DPD timeout occurs for the first VPN tunnel. Valid values are CLEAR, NONE, RESTART. Defaults to CLEAR.
CLEAR - End the IKE session.
NONE - Do nothing.
RESTART - Restart the IKE initiation.		 
object({
    timeout        = optional(number, 30),
    timeout_action = optional(string, "CLEAR"),
  })
 {} no
tunnel1_ike_phase1 (Optional) A configuration of phase 1 IKE negotiations for the first VPN tunnel. tunnel1_ike_phase1 block as defined below.
(Optional) encryption_algorithms - A set of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128, AES256, AES128-GCM-16, AES256-GCM-16. Defaults to all.
(Optional) integrity_algorithms - A set of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1, SHA2-256, SHA2-384, SHA2-512. Defaults to all.
(Optional) dh_group_numbers - A set of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24. Defaults to all.
(Optional) lifetime - The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800. Defaults to 28800.		 
object({
    encryption_algorithms = optional(set(string), ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]),
    integrity_algorithms  = optional(set(string), ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]),
    dh_group_numbers      = optional(set(number), [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24])
    lifetime              = optional(number, 28800)
  })
 {} no
tunnel1_ike_phase2 (Optional) A configuration of phase 2 IKE negotiations for the first VPN tunnel. tunnel1_ike_phase2 block as defined below.
(Optional) encryption_algorithms - A set of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128, AES256, AES128-GCM-16, AES256-GCM-16. Defaults to all.
(Optional) integrity_algorithms - A set of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1, SHA2-256, SHA2-384, SHA2-512. Defaults to all.
(Optional) dh_group_numbers - A set of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24. Defaults to all.
(Optional) lifetime - The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600. Defaults to 3600.		 
object({
    encryption_algorithms = optional(set(string), ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]),
    integrity_algorithms  = optional(set(string), ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]),
    dh_group_numbers      = optional(set(number), [2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24])
    lifetime              = optional(number, 3600)
  })
 {} no
tunnel1_ike_rekey (Optional) A configuration of IKE rekey for the first VPN tunnel. tunnel1_ike_rekey block as defined below.
(Optional) margin_time - The period of time before phase 1 and 2 lifetimes expire, during which AWS initiates an IKE rekey. Valid value is between 60 and half of phase2 lifetime. Defaults to 270.
(Optional) fuzz - The percentage of the rekey window for the first VPN tunnel (determined by the rekey margin time) within which the rekey time is randomly selected. Valid value is between 0 and 100. Defaults to 100.		 
object({
    margin_time = optional(number, 270),
    fuzz        = optional(number, 100),
  })
 {} no
tunnel1_ike_replay_window_size (Optional) The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048. Defaults to 1024. number 1024 no
tunnel1_ike_versions (Optional) A set of the internet key exchange (IKE) version permitted for the first VPN tunnel. Valid values are ikev1, ikev2. Defaults to all. set(string) 
[
  "ikev1",
  "ikev2"
]
 no
tunnel1_inside_ipv4_cidr (Optional) The IPv4 CIDR of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range. Defaults to be randomly generated by Amazon. string null no
tunnel1_inside_ipv6_cidr (Optional) The IPv6 CIDR of the inside IP addresses for the first VPN tunnel. Valid value is a size /126 CIDR block from the local fd00::/8 range. Supports only for a TRANSIT_GATEWAY type target gateway. Defaults to be randomly generated by Amazon. string null no
tunnel1_preshared_key (Optional) The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_). Defaults to be randomly generated by Amazon. string null no
tunnel1_startup_action (Optional) The action to take when the establishing the tunnel for the first VPN connection. Valid values are ADD and START. Defaults to ADD.
ADD - Initiate the IKE negotiation and bring up the tunnel by the customer gateway device.
START - Initiate the IKE negotiation and bring up the tunnel by AWS.		 string "ADD" no
tunnel1_tunnel_endpoint_lifecycle_control_enabled (Optional) Whether to turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Tunnel endpoint lifecycle control provides control over the schedule of endpoint replacements. With this feature, you can choose to accept AWS managed updates to tunnel endpoints at a time that works best for your business. Defaults to false. bool false no
tunnel2_activity_log (Optional) A configuration of tunnel activity log for the second VPN tunnel. tunnel2_activity_log block as defined below.
(Optional) cloudwatch - A configuration of CloudWatch Logs for tunnel activity log. Tunnel activity log captures log messages for IPsec activity and DPD protocol messages. cloudwatch block as defined below.
(Optional) enabled - Whether to enable sending tunnel activity log messages to CloudWatch Logs. Defaults to false.
(Optional) log_group - The ARN (Amazon Resource Name) of the CloudWatch log group to send logs to.
(Optional) log_format - The log format. Valid values are json and text. Defaults to json.		 
object({
    cloudwatch = optional(object({
      enabled    = optional(bool, false)
      log_group  = optional(string)
      log_format = optional(string, "json")
    }), {}),
  })
 {} no
tunnel2_dpd (Optional) A configuration of DPD (Dead Peer Detection) for the second VPN tunnel. tunnel2_dpd block as defined below.
(Optional) timeout - The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than 30. Defaults to 30.
(Optional) timeout_action - The action to take after DPD timeout occurs for the second VPN tunnel. Valid values are CLEAR, NONE, RESTART. Defaults to CLEAR.
CLEAR - End the IKE session.
NONE - Do nothing.
RESTART - Restart the IKE initiation.		 
object({
    timeout        = optional(number, 30),
    timeout_action = optional(string, "CLEAR"),
  })
 {} no
tunnel2_ike_phase1 (Optional) A configuration of phase 1 IKE negotiations for the second VPN tunnel. tunnel2_ike_phase1 block as defined below.
(Optional) encryption_algorithms - A set of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128, AES256, AES128-GCM-16, AES256-GCM-16. Defaults to all.
(Optional) integrity_algorithms - A set of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1, SHA2-256, SHA2-384, SHA2-512. Defaults to all.
(Optional) dh_group_numbers - A set of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24. Defaults to all.
(Optional) lifetime - The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 28800. Defaults to 28800.		 
object({
    encryption_algorithms = optional(set(string), ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]),
    integrity_algorithms  = optional(set(string), ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]),
    dh_group_numbers      = optional(set(number), [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24])
    lifetime              = optional(number, 28800)
  })
 {} no
tunnel2_ike_phase2 (Optional) A configuration of phase 2 IKE negotiations for the second VPN tunnel. tunnel2_ike_phase2 block as defined below.
(Optional) encryption_algorithms - A set of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128, AES256, AES128-GCM-16, AES256-GCM-16. Defaults to all.
(Optional) integrity_algorithms - A set of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1, SHA2-256, SHA2-384, SHA2-512. Defaults to all.
(Optional) dh_group_numbers - A set of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24. Defaults to all.
(Optional) lifetime - The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600. Defaults to 3600.		 
object({
    encryption_algorithms = optional(set(string), ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]),
    integrity_algorithms  = optional(set(string), ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]),
    dh_group_numbers      = optional(set(number), [2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24])
    lifetime              = optional(number, 3600)
  })
 {} no
tunnel2_ike_rekey (Optional) A configuration of IKE rekey for the second VPN tunnel. tunnel2_ike_rekey block as defined below.
(Optional) margin_time - The period of time before phase 1 and 2 lifetimes expire, during which AWS initiates an IKE rekey. Valid value is between 60 and half of phase2 lifetime. Defaults to 270.
(Optional) fuzz - The percentage of the rekey window for the second VPN tunnel (determined by the rekey margin time) within which the rekey time is randomly selected. Valid value is between 0 and 100. Defaults to 100.		 
object({
    margin_time = optional(number, 270),
    fuzz        = optional(number, 100),
  })
 {} no
tunnel2_ike_replay_window_size (Optional) The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048. Defaults to 1024. number 1024 no
tunnel2_ike_versions (Optional) A set of the internet key exchange (IKE) version permitted for the second VPN tunnel. Valid values are ikev1, ikev2. Defaults to all. set(string) 
[
  "ikev1",
  "ikev2"
]
 no
tunnel2_inside_ipv4_cidr (Optional) The IPv4 CIDR of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range. Defaults to be randomly generated by Amazon. string null no
tunnel2_inside_ipv6_cidr (Optional) The IPv6 CIDR of the inside IP addresses for the second VPN tunnel. Valid value is a size /126 CIDR block from the local fd00::/8 range. Supports only for a TRANSIT_GATEWAY type target gateway. Defaults to be randomly generated by Amazon. string null no
tunnel2_preshared_key (Optional) The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_). Defaults to be randomly generated by Amazon. string null no
tunnel2_startup_action (Optional) The action to take when the establishing the tunnel for the second VPN connection. Valid values are ADD and START. Defaults to ADD.
ADD - Initiate the IKE negotiation and bring up the tunnel by the customer gateway device.
START - Initiate the IKE negotiation and bring up the tunnel by AWS.		 string "ADD" no
tunnel2_tunnel_endpoint_lifecycle_control_enabled (Optional) Whether to turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Tunnel endpoint lifecycle control provides control over the schedule of endpoint replacements. With this feature, you can choose to accept AWS managed updates to tunnel endpoints at a time that works best for your business. Defaults to false. bool false no
tunnel_inside_ip_version (Optional) The IP address version of the traffic from the VPN tunnels. Valid values are IPv4 and IPv6. Defaults to IPv4. Supports only for a TRANSIT_GATEWAY type target gateway string "IPv4" no

Outputs

Name Description
acceleration_enabled Whether acceleration for the VPN connection is enabled.
arn The ARN (Amazon Resource Name) of the VPN connection.
core_network The configuration for the core network of the VPN connection.
arn - The ARN of the core network.
attachment - The ARN of the core network attachment.
customer_gateway The information for the customer gateway of the VPN connection.
id - The ID of the customer gateway.
outside_ip_address_type - Whether the customer gateway device is using a public or private IPv4 address.
transport_transit_gateway_attachment - The attachment ID of the transport transit gateway for the AWS Direct Connect Gateway to be used for the private IP VPN connection.
customer_gateway_configuration The configuration for the customer gateway of the VPN connection.
debug For debug purpose
id The ID of the VPN connection.
local_ipv4_cidr The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
local_ipv6_cidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
name The name of the VPN connection.
region The AWS region this module resources resides in.
remote_ipv4_cidr The IPv4 CIDR on the AWS side of the VPN connection.
remote_ipv6_cidr The IPv6 CIDR on the AWS side of the VPN connection.
resource_group The resource group created to manage resources in this module.
routing_type The type of routing depend on the make and model of the customer gateway device.
target_gateway The information for the target gateway of the VPN connection.
type - The type of the target gateway
id - The ID of the target gateway.
transit_gateway_attachment The ID of Transit Gateway VPN Attachment.
tunnel1 The configuration for the tunnel 1 of the VPN connection.
bgp - The information for the BGP of the first VPN tunnel.
asn - The BGP ASN number of the first VPN tunnel.
holdtime - The BGP holdtime of the first VPN tunnel.
tunnel1_activity_log The configuration of tunnel activity log for the first VPN tunnel.
cloudwatch - The configuration of CloudWatch Logs for tunnel activity log.
tunnel1_ike The IKE configuration for the first VPN tunnel.
versions - A set of the internet key exchange (IKE) version permitted for the first VPN tunnel.
rekey - The configuration of IKE rekey for the first VPN tunnel.
replay_window_size - The number of packets in an IKE replay window for the first VPN tunnel.
phase1 - The configuration of phase 1 IKE negotiations for the first VPN tunnel.
phase2 - The configuration of phase 2 IKE negotiations for the first VPN tunnel.
tunnel1_initiation The initiation options for the first VPN tunnel.
startup_action - The action to take when the establishing the tunnel for the first VPN connection.
dpd - The configuration of DPD (Dead Peer Detection) for the the first VPN tunnel.
tunnel1_preshared_key The preshared key of the first VPN tunnel.
tunnel2 The configuration for the tunnel 2 of the VPN connection.
bgp - The information for the BGP of the second VPN tunnel.
asn - The BGP ASN number of the second VPN tunnel.
holdtime - The BGP holdtime of the second VPN tunnel.
tunnel2_activity_log The configuration of tunnel activity log for the second VPN tunnel.
cloudwatch - The configuration of CloudWatch Logs for tunnel activity log.
tunnel2_ike The IKE configuration for the second VPN tunnel.
versions - A set of the internet key exchange (IKE) version permitted for the second VPN tunnel.
rekey - The configuration of IKE rekey for the second VPN tunnel.
replay_window_size - The number of packets in an IKE replay window for the second VPN tunnel.
phase1 - The configuration of phase 1 IKE negotiations for the second VPN tunnel.
phase2 - The configuration of phase 2 IKE negotiations for the second VPN tunnel.
tunnel2_initiation The initiation options for the second VPN tunnel.
startup_action - The action to take when the establishing the tunnel for the second VPN connection.
dpd - The configuration of DPD (Dead Peer Detection) for the the second VPN tunnel.
tunnel2_preshared_key The preshared key of the second VPN tunnel.
tunnel_inside_ip_version The IP address version of the traffic from the VPN tunnels.
type The type of VPN connection.