feat: MD5 authentication for BGP support (#149)

rhariady · web-flow · commit e6f8b6c73f56 · 2025-04-24T10:45:05.000-05:00
Signed-off-by: Ricky Hariady &lt;ricky.hariady@gmail.com&gt;
diff --git a/modules/interconnect_attachment/README.md b/modules/interconnect_attachment/README.md
@@ -15,7 +15,7 @@
 | ipsec\_internal\_addresses | URL of addresses that have been reserved for the interconnect attachment, Used only for interconnect attachment that has the encryption option as IPSEC. | `list(string)` | `[]` | no |
 | mtu | Maximum Transmission Unit (MTU), in bytes, of packets passing through this interconnect attachment. Currently, only 1440 and 1500 are allowed. If not specified, the value will default to 1440. | `string` | `null` | no |
 | name | The name of the interconnect attachment | `string` | n/a | yes |
-| peer | BGP Peer for this attachment. | <pre>object({<br>    name                      = string<br>    peer_asn                  = string<br>    advertised_route_priority = optional(number)<br>    bfd = optional(object({<br>      session_initialization_mode = string<br>      min_transmit_interval       = optional(number)<br>      min_receive_interval        = optional(number)<br>      multiplier                  = optional(number)<br>    }))<br>  })</pre> | n/a | yes |
+| peer | BGP Peer for this attachment. | <pre>object({<br>    name                      = string<br>    peer_asn                  = string<br>    advertised_route_priority = optional(number)<br>    bfd = optional(object({<br>      session_initialization_mode = string<br>      min_transmit_interval       = optional(number)<br>      min_receive_interval        = optional(number)<br>      multiplier                  = optional(number)<br>    }))<br>    md5_authentication_key = optional(object({<br>      name = string<br>      key  = string<br>    }))<br>  })</pre> | n/a | yes |
 | project | The project ID to deploy to | `string` | n/a | yes |
 | region | Region where the attachment resides | `string` | n/a | yes |
 | router | Name of the router the attachment resides | `string` | n/a | yes |
diff --git a/modules/interconnect_attachment/main.tf b/modules/interconnect_attachment/main.tf
@@ -45,7 +45,8 @@ module "interface" {
     # Peer IP Address must not contain the subnet mask, else will throw an invalid IP address error.
     peer_ip_address           = element(split("/", google_compute_interconnect_attachment.attachment.customer_router_ip_address), 0)
     peer_asn                  = var.peer.peer_asn
-    advertised_route_priority = lookup(var.peer, "advertised_route_priority", null)
-    bfd                       = lookup(var.peer, "bfd", null)
+    advertised_route_priority = try(var.peer.advertised_route_priority, null)
+    bfd                       = try(var.peer.bfd, null)
+    md5_authentication_key    = try(var.peer.md5_authentication_key, null)
   }]
 }
diff --git a/modules/interconnect_attachment/variables.tf b/modules/interconnect_attachment/variables.tf
@@ -112,5 +112,9 @@ variable "peer" {
       min_receive_interval        = optional(number)
       multiplier                  = optional(number)
     }))
+    md5_authentication_key = optional(object({
+      name = string
+      key  = string
+    }))
   })
 }
diff --git a/modules/interface/README.md b/modules/interface/README.md
@@ -8,7 +8,7 @@
 | interconnect\_attachment | The name or resource link to the VLAN interconnect for this interface | `string` | `null` | no |
 | ip\_range | IP address and range of the interface | `string` | `null` | no |
 | name | The name of the interface | `string` | n/a | yes |
-| peers | BGP peers for this interface. | <pre>list(object({<br>    name                      = string<br>    peer_ip_address           = string<br>    peer_asn                  = string<br>    advertised_route_priority = optional(number)<br>    bfd = object({<br>      session_initialization_mode = string<br>      min_transmit_interval       = optional(number)<br>      min_receive_interval        = optional(number)<br>      multiplier                  = optional(number)<br>    })<br>  }))</pre> | `[]` | no |
+| peers | BGP peers for this interface. | <pre>list(object({<br>    name                      = string<br>    peer_ip_address           = string<br>    peer_asn                  = string<br>    advertised_route_priority = optional(number)<br>    bfd = object({<br>      session_initialization_mode = string<br>      min_transmit_interval       = optional(number)<br>      min_receive_interval        = optional(number)<br>      multiplier                  = optional(number)<br>    })<br>    md5_authentication_key = optional(object({<br>      name = string<br>      key  = string<br>    }))<br>  }))</pre> | `[]` | no |
 | project | The project ID to deploy to | `string` | n/a | yes |
 | region | Region where the interface resides | `string` | n/a | yes |
 | router | Name of the router the interface resides | `string` | n/a | yes |
diff --git a/modules/interface/main.tf b/modules/interface/main.tf
@@ -37,15 +37,23 @@ resource "google_compute_router_peer" "peers" {
   interface                 = google_compute_router_interface.interface.name
   peer_ip_address           = each.value.peer_ip_address
   peer_asn                  = each.value.peer_asn
-  advertised_route_priority = lookup(each.value, "advertised_route_priority", null)
+  advertised_route_priority = try(each.value.advertised_route_priority, null)
 
   dynamic "bfd" {
-    for_each = lookup(each.value, "bfd", null) == null ? [] : [""]
+    for_each = try(each.value.bfd, null) == null ? [] : [""]
     content {
       session_initialization_mode = try(each.value.bfd.session_initialization_mode, null)
       min_receive_interval        = try(each.value.bfd.min_receive_interval, null)
       min_transmit_interval       = try(each.value.bfd.min_transmit_interval, null)
       multiplier                  = try(each.value.bfd.multiplier, null)
     }
   }
+
+  dynamic "md5_authentication_key" {
+    for_each = try(each.value.md5_authentication_key, null) == null ? [] : [""]
+    content {
+      name = each.value.md5_authentication_key.name
+      key  = each.value.md5_authentication_key.key
+    }
+  }
 }
diff --git a/modules/interface/variables.tf b/modules/interface/variables.tf
@@ -64,6 +64,10 @@ variable "peers" {
       min_receive_interval        = optional(number)
       multiplier                  = optional(number)
     })
+    md5_authentication_key = optional(object({
+      name = string
+      key  = string
+    }))
   }))
   description = "BGP peers for this interface."
   default     = []
