add encryption support

rhariady · rhariady · commit 9d0e963a1a96 · 2025-02-28T15:54:56.000+07:00
Signed-off-by: Ricky Hariady &lt;ricky.hariady@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -44,6 +44,7 @@ Functional examples are included in the [examples](./examples/) directory. By de
 |------|-------------|------|---------|:--------:|
 | bgp | BGP information specific to this router. | <pre>object({<br>    asn               = string<br>    advertise_mode    = optional(string, "CUSTOM")<br>    advertised_groups = optional(list(string))<br>    advertised_ip_ranges = optional(list(object({<br>      range       = string<br>      description = optional(string)<br>    })), [])<br>    keepalive_interval = optional(number)<br>  })</pre> | `null` | no |
 | description | An optional description of this resource | `string` | `null` | no |
+| encrypted\_interconnect\_router | An optional field to indicate if a router is dedicated to use with encrypted Interconnect Attachment | `bool` | `false` | no |
 | name | Name of the router | `string` | n/a | yes |
 | nats | NATs to deploy on this router. | <pre>list(object({<br>    name                                = string<br>    nat_ip_allocate_option              = optional(string)<br>    source_subnetwork_ip_ranges_to_nat  = optional(string)<br>    nat_ips                             = optional(list(string), [])<br>    drain_nat_ips                       = optional(list(string), [])<br>    min_ports_per_vm                    = optional(number)<br>    max_ports_per_vm                    = optional(number)<br>    udp_idle_timeout_sec                = optional(number)<br>    icmp_idle_timeout_sec               = optional(number)<br>    tcp_established_idle_timeout_sec    = optional(number)<br>    tcp_transitory_idle_timeout_sec     = optional(number)<br>    tcp_time_wait_timeout_sec           = optional(number)<br>    enable_endpoint_independent_mapping = optional(bool)<br>    enable_dynamic_port_allocation      = optional(bool)<br><br>    log_config = optional(object({<br>      enable = optional(bool, true)<br>      filter = optional(string, "ALL")<br>    }), {})<br><br>    subnetworks = optional(list(object({<br>      name                     = string<br>      source_ip_ranges_to_nat  = list(string)<br>      secondary_ip_range_names = optional(list(string))<br>    })), [])<br><br>  }))</pre> | `[]` | no |
 | network | A reference to the network to which this router belongs | `string` | n/a | yes |
diff --git a/main.tf b/main.tf
@@ -15,11 +15,12 @@
  */
 
 resource "google_compute_router" "router" {
-  name        = var.name
-  network     = var.network
-  region      = var.region
-  project     = var.project
-  description = var.description
+  name                          = var.name
+  network                       = var.network
+  region                        = var.region
+  project                       = var.project
+  description                   = var.description
+  encrypted_interconnect_router = var.encrypted_interconnect_router
 
   dynamic "bgp" {
     for_each = var.bgp != null ? [var.bgp] : []
diff --git a/modules/interconnect_attachment/README.md b/modules/interconnect_attachment/README.md
@@ -9,8 +9,10 @@
 | bandwidth | Provisioned bandwidth capacity for the interconnect attachment | `string` | `"BPS_10G"` | no |
 | candidate\_subnets | Up to 16 candidate prefixes that can be used to restrict the allocation of cloudRouterIpAddress and customerRouterIpAddress for this attachment. All prefixes must be within link-local address space (169.254.0.0/16) and must be /29 or shorter (/28, /27, etc). | `list(string)` | `null` | no |
 | description | An optional description of this resource | `string` | `null` | no |
+| encryption | Indicates the user-supplied encryption option of this interconnect attachment. | `string` | `"NONE"` | no |
 | interconnect | URL of the underlying Interconnect object that this attachment's traffic will traverse through. | `string` | n/a | yes |
 | interface | Interface to deploy for this attachment. | <pre>object({<br>    name = string<br>  })</pre> | n/a | yes |
+| ipsec\_internal\_addresses | URL of addresses that have been reserved for the interconnect attachment, Used only for interconnect attachment that has the encryption option as IPSEC. | `list(string)` | `[]` | no |
 | mtu | Maximum Transmission Unit (MTU), in bytes, of packets passing through this interconnect attachment. Currently, only 1440 and 1500 are allowed. If not specified, the value will default to 1440. | `string` | `null` | no |
 | name | The name of the interconnect attachment | `string` | n/a | yes |
 | peer | BGP Peer for this attachment. | <pre>object({<br>    name                      = string<br>    peer_asn                  = string<br>    advertised_route_priority = optional(number)<br>    bfd = optional(object({<br>      session_initialization_mode = string<br>      min_transmit_interval       = optional(number)<br>      min_receive_interval        = optional(number)<br>      multiplier                  = optional(number)<br>    }))<br>  })</pre> | n/a | yes |
diff --git a/modules/interconnect_attachment/main.tf b/modules/interconnect_attachment/main.tf
@@ -15,18 +15,20 @@
  */
 
 resource "google_compute_interconnect_attachment" "attachment" {
-  name              = var.name
-  router            = var.router
-  project           = var.project
-  region            = var.region
-  interconnect      = var.interconnect
-  admin_enabled     = var.admin_enabled
-  type              = var.type
-  description       = var.description
-  bandwidth         = var.bandwidth
-  mtu               = var.mtu
-  candidate_subnets = var.candidate_subnets
-  vlan_tag8021q     = var.vlan_tag8021q
+  name                     = var.name
+  router                   = var.router
+  project                  = var.project
+  region                   = var.region
+  interconnect             = var.interconnect
+  admin_enabled            = var.admin_enabled
+  type                     = var.type
+  description              = var.description
+  bandwidth                = var.bandwidth
+  mtu                      = var.mtu
+  candidate_subnets        = var.candidate_subnets
+  vlan_tag8021q            = var.vlan_tag8021q
+  encryption               = var.encryption
+  ipsec_internal_addresses = var.ipsec_internal_addresses
 }
 
 module "interface" {
diff --git a/modules/interconnect_attachment/variables.tf b/modules/interconnect_attachment/variables.tf
@@ -81,6 +81,18 @@ variable "vlan_tag8021q" {
   default     = null
 }
 
+variable "encryption" {
+  type        = string
+  description = "Indicates the user-supplied encryption option of this interconnect attachment."
+  default     = "NONE"
+}
+
+variable "ipsec_internal_addresses" {
+  type        = list(string)
+  description = "URL of addresses that have been reserved for the interconnect attachment, Used only for interconnect attachment that has the encryption option as IPSEC."
+  default     = []
+}
+
 variable "interface" {
   description = "Interface to deploy for this attachment."
   type = object({
diff --git a/variables.tf b/variables.tf
@@ -40,6 +40,12 @@ variable "description" {
   default     = null
 }
 
+variable "encrypted_interconnect_router" {
+  type        = bool
+  description = "An optional field to indicate if a router is dedicated to use with encrypted Interconnect Attachment"
+  default     = false
+}
+
 # Type: object, with fields:
 # - asn (string, required): Local BGP Autonomous System Number (ASN).
 # - advertised_groups (list(string), optional): User-specified list of prefix groups to advertise.
