Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork158
Terraform module to create AWS VPN gateway resources 🇺🇦
License
NotificationsYou must be signed in to change notification settings
terraform-aws-modules/terraform-aws-vpn-gateway
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Terraform module which createsVPN gateway resources on AWS.
This module creates:
- aVPN Connection unless
create_vpn_connection = false - aVPN Gateway Attachment
- one or moreVPN Gateway Route Propagation depending on how many routing tables exists in a VPC
- one or moreVPN Connection Route if
create_vpn_connection = trueandvpn_connection_static_routes_only = true, and depending on the number of destinations provided in variablevpn_connection_static_routes_destinations(which must be inline withvpc_subnet_route_table_count)
This module does not create aVPN Gateway resource because it is meant to be used in combination with theVPC module that will create that resource (whenenable_vpn_gateway = true).This module also does not create aCustomer Gateway resource.This module will create static routes for the VPN Connection if configured to create a VPN Connection resource with static routes and destinations for the routes have been provided.The static routes will then be automatically propagated to the VPC subnet routing tables (provided inprivate_route_table_ids) once a VPN tunnel status isUP.When static routes are disabled, the appliance behind the Customer Gateway needs to support BGP routing protocol in order for routes to be automatically discovered, and subsequently propagated to the VPC subnet routing tables.This module supports optional parameters for tunnel inside cidr and preshared keys. They can be supplied individually, too.
If you want to use the Transit Gateway support you are responsible for creating the transit gateway resources (eg, usingterraform-aws-transit-gateway module).
WithVPC module
module"vpn_gateway" {source="terraform-aws-modules/vpn-gateway/aws"version="~> 3.0"vpc_id=module.vpc.vpc_idvpn_gateway_id=module.vpc.vgw_idcustomer_gateway_id=module.vpc.cgw_ids[0]# precalculated length of module variable vpc_subnet_route_table_idsvpc_subnet_route_table_count=3vpc_subnet_route_table_ids=module.vpc.private_route_table_ids# tunnel inside cidr & preshared keys (optional)tunnel1_inside_cidr=var.custom_tunnel1_inside_cidrtunnel2_inside_cidr=var.custom_tunnel2_inside_cidrtunnel1_preshared_key=var.custom_tunnel1_preshared_keytunnel2_preshared_key=var.custom_tunnel2_preshared_key}module"vpc" {source="terraform-aws-modules/vpc/aws"version="~> 5.0"enable_vpn_gateway=trueamazon_side_asn=64620customer_gateways={ IP1= { bgp_asn=65220 ip_address="172.83.124.10" }, IP2= { bgp_asn=65220 ip_address="172.83.124.11" } }# ...}
module"vpn_gateway" {source="terraform-aws-modules/vpn-gateway/aws"version="~> 3.0"vpn_gateway_id=aws_vpn_gateway.vpn_gateway.idcustomer_gateway_id=aws_customer_gateway.main.idvpc_id=aws_vpc.vpc.vpc_idvpc_subnet_route_table_count=3vpc_subnet_route_table_ids=["rt-12322456","rt-43433343","rt-11223344"]# tunnel inside cidr & preshared keys (optional)tunnel1_inside_cidr=var.custom_tunnel1_inside_cidrtunnel2_inside_cidr=var.custom_tunnel2_inside_cidrtunnel1_preshared_key=var.custom_tunnel1_preshared_keytunnel2_preshared_key=var.custom_tunnel2_preshared_key}resource"aws_customer_gateway""main" {bgp_asn=65000ip_address="172.83.124.10"type="ipsec.1"tags {Name="main-customer-gateway" }}resource"aws_vpc""vpc" {# ...}resource"aws_vpn_gateway""vpn_gateway" {vpc_id=aws_vpc.vpc.vpc_id# ...}
module"vpn_gateway" {source="terraform-aws-modules/vpn-gateway/aws"version="~> 3.0"create_vpn_gateway_attachment=falseconnect_to_transit_gateway=truevpc_id=module.vpc.vpc_idtransit_gateway_id=aws_ec2_transit_gateway.this.idcustomer_gateway_id=module.vpc.cgw_ids[0]# tunnel inside cidr & preshared keys (optional)tunnel1_inside_cidr=var.custom_tunnel1_inside_cidrtunnel2_inside_cidr=var.custom_tunnel2_inside_cidrtunnel1_preshared_key=var.custom_tunnel1_preshared_keytunnel2_preshared_key=var.custom_tunnel2_preshared_key}module"vpc" {source="terraform-aws-modules/vpc/aws"version="~> 5.0"enable_vpn_gateway=falseamazon_side_asn=64620customer_gateways={ IP1= { bgp_asn=65220 ip_address="172.83.124.10" }, IP2= { bgp_asn=65220 ip_address="172.83.124.11" } }# ...}resource"aws_ec2_transit_gateway""this" {description="My TGW"}resource"aws_ec2_transit_gateway_vpc_attachment""this" {subnet_ids=module.vpc.private_subnetsvpc_id=module.vpc.vpc_idtransit_gateway_id=aws_ec2_transit_gateway.this.id}
module"vpn_gateway" {source="terraform-aws-modules/vpn-gateway/aws"version="~> 3.0"create_vpn_gateway_attachment=falseconnect_to_transit_gateway=truevpc_id=module.vpc.vpc_idtransit_gateway_id=module.tgw.ec2_transit_gateway_idcustomer_gateway_id=module.vpc.cgw_ids[0]# tunnel inside cidr & preshared keys (optional)tunnel1_inside_cidr=var.custom_tunnel1_inside_cidrtunnel2_inside_cidr=var.custom_tunnel2_inside_cidrtunnel1_preshared_key=var.custom_tunnel1_preshared_keytunnel2_preshared_key=var.custom_tunnel2_preshared_key}module"vpc" {source="terraform-aws-modules/vpc/aws"version="~> 5.0"enable_vpn_gateway=falseamazon_side_asn=64620customer_gateways={ IP1= { bgp_asn=65220 ip_address="172.83.124.10" }, IP2= { bgp_asn=65220 ip_address="172.83.124.11" } }# ...}module"tgw" {source="terraform-aws-modules/transit-gateway/aws"version="~> 2.0"name="my-tgw"description="My TGW shared with several other AWS accounts"amazon_side_asn=64532vpc_attachments={ vpc1= { vpc_id="vpc-12345678"# module.vpc.vpc_id <- will not work since computed values can't be used in `count` subnet_ids= ["subnet-123456","subnet-111222233"]# module.vpc.public_subnets <- will not work since computed values can't be used in `count` dns_support=true tgw_routes= [ { destination_cidr_block="30.0.0.0/16" }, { blackhole=true destination_cidr_block="0.0.0.0/0" } ] } }}
- Complete example shows how to create all VPN Gateway resources and integration with VPC module.
- Complete example with Transit Gateway shows how to create VPN Connection between Transit Gateway and Customer Gateway.
- Complete example with static routes shows how to create all VPN Gateway together with static routes.
- Minimal example shows how to create just VPN Gateway using this module.
| Name | Version |
|---|---|
| terraform | >= 1.3 |
| aws | >= 5.42 |
| Name | Version |
|---|---|
| aws | >= 5.42 |
No modules.
| Name | Type |
|---|---|
| aws_ec2_tag.tags | resource |
| aws_vpn_connection.default | resource |
| aws_vpn_connection.preshared | resource |
| aws_vpn_connection.tunnel | resource |
| aws_vpn_connection.tunnel_preshared | resource |
| aws_vpn_connection_route.default | resource |
| aws_vpn_gateway_attachment.default | resource |
| aws_vpn_gateway_route_propagation.private_subnets_vpn_routing | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| connect_to_transit_gateway | Set to false to disable attachment of the VPN connection route to the VPN connection (TGW uses another resource for that) | bool | false | no |
| create_vpn_connection | Set to false to prevent the creation of a VPN Connection. | bool | true | no |
| create_vpn_gateway_attachment | Set to false to prevent attachment of the VGW to the VPC | bool | true | no |
| customer_gateway_id | The id of the Customer Gateway. | string | n/a | yes |
| local_ipv4_network_cidr | (Optional) The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection. | string | null | no |
| local_ipv6_network_cidr | (Optional) The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection. | string | null | no |
| remote_ipv4_network_cidr | (Optional) The IPv4 CIDR on the AWS side of the VPN connection. | string | null | no |
| remote_ipv6_network_cidr | (Optional) The IPv6 CIDR on AWS side of the VPN connection. | string | null | no |
| tags | Set of tags to be added to the VPN Connection resource (only ifcreate_vpn_connection = true). | map(string) | {} | no |
| transit_gateway_id | The ID of the Transit Gateway. | string | null | no |
| tunnel1_dpd_timeout_action | (Optional, Default clear) The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart | string | null | no |
| tunnel1_dpd_timeout_seconds | (Optional, Default 30) The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than 30 | number | null | no |
| tunnel1_enable_tunnel_lifecycle_control | (Optional) Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are true | false | bool | null | no |
| tunnel1_ike_versions | (Optional) The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2 | list(string) | null | no |
| tunnel1_inside_cidr | The CIDR block of the inside IP addresses for the first VPN tunnel. | string | "" | no |
| tunnel1_log_options | (Optional) Options for sending VPN tunnel logs to CloudWatch. | any | {} | no |
| tunnel1_phase1_dh_group_numbers | (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | list(number) | null | no |
| tunnel1_phase1_encryption_algorithms | (Optional) List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16 | list(string) | null | no |
| tunnel1_phase1_integrity_algorithms | (Optional) One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512 | list(string) | null | no |
| tunnel1_phase1_lifetime_seconds | (Optional, Default 28800) The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800 | number | null | no |
| tunnel1_phase2_dh_group_numbers | (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | list(number) | null | no |
| tunnel1_phase2_encryption_algorithms | (Optional) List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16 | list(string) | null | no |
| tunnel1_phase2_integrity_algorithms | (Optional) List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512 | list(string) | null | no |
| tunnel1_phase2_lifetime_seconds | (Optional, Default 3600) The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600 | number | null | no |
| tunnel1_preshared_key | The preshared key of the first VPN tunnel. | string | "" | no |
| tunnel1_rekey_fuzz_percentage | (Optional, Default 100) The percentage of the rekey window for the first VPN tunnel (determined by tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100 | number | null | no |
| tunnel1_rekey_margin_time_seconds | (Optional, Default 540) The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel1_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds | number | null | no |
| tunnel1_replay_window_size | (Optional, Default 1024) The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048. | number | null | no |
| tunnel1_startup_action | (Optional, Default add) The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start | string | null | no |
| tunnel2_dpd_timeout_action | (Optional, Default clear) The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart | string | null | no |
| tunnel2_dpd_timeout_seconds | (Optional, Default 30) The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than 30 | number | null | no |
| tunnel2_enable_tunnel_lifecycle_control | (Optional) Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are true | false | bool | null | no |
| tunnel2_ike_versions | (Optional) The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2 | list(string) | null | no |
| tunnel2_inside_cidr | The CIDR block of the inside IP addresses for the second VPN tunnel. | string | "" | no |
| tunnel2_log_options | (Optional) Options for sending VPN tunnel logs to CloudWatch. | any | {} | no |
| tunnel2_phase1_dh_group_numbers | (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | list(number) | null | no |
| tunnel2_phase1_encryption_algorithms | (Optional) List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16 | list(string) | null | no |
| tunnel2_phase1_integrity_algorithms | (Optional) One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512 | list(string) | null | no |
| tunnel2_phase1_lifetime_seconds | (Optional, Default 28800) The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 28800 | number | null | no |
| tunnel2_phase2_dh_group_numbers | (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | list(number) | null | no |
| tunnel2_phase2_encryption_algorithms | (Optional) List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16 | list(string) | null | no |
| tunnel2_phase2_integrity_algorithms | (Optional) List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512 | list(string) | null | no |
| tunnel2_phase2_lifetime_seconds | (Optional, Default 3600) The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600 | number | null | no |
| tunnel2_preshared_key | The preshared key of the second VPN tunnel. | string | "" | no |
| tunnel2_rekey_fuzz_percentage | (Optional, Default 100) The percentage of the rekey window for the second VPN tunnel (determined by tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100 | number | null | no |
| tunnel2_rekey_margin_time_seconds | (Optional, Default 540) The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel2_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds | number | null | no |
| tunnel2_replay_window_size | (Optional, Default 1024) The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048. | number | null | no |
| tunnel2_startup_action | (Optional, Default add) The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start | string | null | no |
| tunnel_inside_ip_version | (Optional) Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 | ipv6. ipv6 Supports only EC2 Transit Gateway. | string | "ipv4" | no |
| vpc_id | The id of the VPC where the VPN Gateway lives. | string | null | no |
| vpc_subnet_route_table_count | The number of subnet route table ids being passed in viavpc_subnet_route_table_ids. | number | 0 | no |
| vpc_subnet_route_table_ids | The ids of the VPC subnets for which routes from the VPN Gateway will be propagated. | list(string) | [] | no |
| vpn_connection_enable_acceleration | Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway. | bool | null | no |
| vpn_connection_static_routes_destinations | List of CIDRs to be used as destination for static routes (used withvpn_connection_static_routes_only = true). Routes to destinations set here will be propagated to the routing tables of the subnets defined invpc_subnet_route_table_ids. | list(string) | [] | no |
| vpn_connection_static_routes_only | Set to true for the created VPN connection to use static routes exclusively (only ifcreate_vpn_connection = true). Static routes must be used for devices that don't support BGP. | bool | false | no |
| vpn_gateway_id | The id of the VPN Gateway. | string | null | no |
| Name | Description |
|---|---|
| tunnel1_preshared_key | The preshared key of the first VPN tunnel. |
| tunnel2_preshared_key | The preshared key of the second VPN tunnel. |
| vpn_connection_customer_gateway_configuration | The configuration information for the VPN connection's customer gateway (in the native XML format) ifcreate_vpn_connection = true, or empty otherwise |
| vpn_connection_id | A list with the VPN Connection ID ifcreate_vpn_connection = true, or empty otherwise |
| vpn_connection_transit_gateway_attachment_id | The transit gateway attachment ID that was generated when attaching this VPN connection. |
| vpn_connection_tunnel1_address | A list with the the public IP address of the first VPN tunnel ifcreate_vpn_connection = true, or empty otherwise |
| vpn_connection_tunnel1_cgw_inside_address | A list with the the RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side) ifcreate_vpn_connection = true, or empty otherwise |
| vpn_connection_tunnel1_vgw_inside_address | A list with the the RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side) ifcreate_vpn_connection = true, or empty otherwise |
| vpn_connection_tunnel2_address | A list with the the public IP address of the second VPN tunnel ifcreate_vpn_connection = true, or empty otherwise |
| vpn_connection_tunnel2_cgw_inside_address | A list with the the RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side) ifcreate_vpn_connection = true, or empty otherwise |
| vpn_connection_tunnel2_vgw_inside_address | A list with the the RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side) ifcreate_vpn_connection = true, or empty otherwise |
Module is maintained byAnton Babenko with help fromthese awesome contributors.
Apache 2 Licensed. SeeLICENSE for full details.
About
Terraform module to create AWS VPN gateway resources 🇺🇦
Topics
Resources
License
Code of conduct
Security policy
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Sponsor this project
Uh oh!
There was an error while loading.Please reload this page.
Packages0
No packages published
Uh oh!
There was an error while loading.Please reload this page.