This module creates the VPN site-to-site network resources.
The following resources will be created:
- Private Gateway
- Customer Gateway
- VPN Site-to-site connection
module "vpn" {
source = "git::https://github.com/DNXLabs/terraform-aws-vpn-connection?ref=1.0.0"
vpc_id = module.network[0].vpc_id
vpn_gateway_amazon_side_asn = 64512
customer_gateway_bgp_asn = 65000
customer_gateway_ip_address = "172.0.0.1"
route_table_ids = []
vpn_connection_static_routes_only = true
vpn_connection_static_routes_destinations = ["10.80.1.0/24"]
vpn_connection_tunnel1_inside_cidr = null
vpn_connection_tunnel2_inside_cidr = null
vpn_connection_tunnel1_preshared_key = null
vpn_connection_tunnel2_preshared_key = null
}
Name | Version |
---|---|
terraform | >= 0.13.0 |
aws | >= 3.56.0 |
null | >= 2.0 |
Name | Version |
---|---|
aws | >= 3.56.0 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
customer_gateway_bgp_asn | The gateway's Border Gateway Protocol (BGP) Autonomous System Number (ASN) | number |
65000 |
no |
customer_gateway_ip_address | The IP address of the gateway's Internet-routable external interface | string |
n/a | yes |
ipsec_type | Define Ipsec Type | string |
"ipsec.1" |
no |
name | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. This is the only ID element not also included as a tag .The "name" tag is set to the full id string. There is no tag with the value of the name input. |
string |
n/a | yes |
route_table_ids | The IDs of the route tables for which routes from the Virtual Private Gateway will be propagated | list(string) |
[] |
no |
tags | Extra tags to attach to resources | map(string) |
{} |
no |
transit_gateway_id | Define Transit gateway id in case private gateway is not defined | string |
null |
no |
vpc_id | The ID of the VPC to which the Virtual Private Gateway will be attached | string |
n/a | yes |
vpn_connection_local_ipv4_network_cidr | The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection. | string |
"0.0.0.0/0" |
no |
vpn_connection_remote_ipv4_network_cidr | The IPv4 CIDR on the AWS side of the VPN connection. | string |
"0.0.0.0/0" |
no |
vpn_connection_static_routes_destinations | List of CIDR blocks to be used as destination for static routes. Routes to destinations will be propagated to the route tables defined in route_table_ids |
list(string) |
[] |
no |
vpn_connection_static_routes_only | If set to true , the VPN connection will use static routes exclusively. Static routes must be used for devices that don't support BGP |
string |
"true" |
no |
vpn_connection_tunnel1_dpd_timeout_action | The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart. | string |
"clear" |
no |
vpn_connection_tunnel1_ike_versions | The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2. | list(string) |
[] |
no |
vpn_connection_tunnel1_inside_cidr | The CIDR block of the inside IP addresses for the first VPN tunnel | string |
null |
no |
vpn_connection_tunnel1_phase1_dh_group_numbers | List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24. | list(string) |
[] |
no |
vpn_connection_tunnel1_phase1_encryption_algorithms | List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16. | list(string) |
[] |
no |
vpn_connection_tunnel1_phase1_integrity_algorithms | One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512. | list(string) |
[] |
no |
vpn_connection_tunnel1_phase2_dh_group_numbers | List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24. | list(string) |
[] |
no |
vpn_connection_tunnel1_phase2_encryption_algorithms | List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16. | list(string) |
[] |
no |
vpn_connection_tunnel1_phase2_integrity_algorithms | One or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512. | list(string) |
[] |
no |
vpn_connection_tunnel1_preshared_key | The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero. Allowed characters are alphanumeric characters, periods(.) and underscores(_) | string |
null |
no |
vpn_connection_tunnel1_startup_action | The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start. | string |
"add" |
no |
vpn_connection_tunnel2_dpd_timeout_action | The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart. | string |
"clear" |
no |
vpn_connection_tunnel2_ike_versions | The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2. | list(string) |
[] |
no |
vpn_connection_tunnel2_inside_cidr | The CIDR block of the inside IP addresses for the second VPN tunnel | string |
null |
no |
vpn_connection_tunnel2_phase1_dh_group_numbers | List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24. | list(string) |
[] |
no |
vpn_connection_tunnel2_phase1_encryption_algorithms | List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16. | list(string) |
[] |
no |
vpn_connection_tunnel2_phase1_integrity_algorithms | One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512. | list(string) |
[] |
no |
vpn_connection_tunnel2_phase2_dh_group_numbers | List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24. | list(string) |
[] |
no |
vpn_connection_tunnel2_phase2_encryption_algorithms | List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16. | list(string) |
[] |
no |
vpn_connection_tunnel2_phase2_integrity_algorithms | One or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512. | list(string) |
[] |
no |
vpn_connection_tunnel2_preshared_key | The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero. Allowed characters are alphanumeric characters, periods(.) and underscores(_) | string |
null |
no |
vpn_connection_tunnel2_startup_action | The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start. | string |
"add" |
no |
vpn_gateway_amazon_side_asn | The Autonomous System Number (ASN) for the Amazon side of the VPN gateway. If you don't specify an ASN, the Virtual Private Gateway is created with the default ASN | number |
64512 |
no |
Name | Description |
---|---|
customer_gateway_id | Customer Gateway ID |
vpn_connection_customer_gateway_configuration | The configuration information for the VPN connection's Customer Gateway (in the native XML format) |
vpn_connection_id | VPN Connection ID |
vpn_connection_tunnel1_address | The public IP address of the first VPN tunnel |
vpn_connection_tunnel1_cgw_inside_address | The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway side) |
vpn_connection_tunnel1_vgw_inside_address | The RFC 6890 link-local address of the first VPN tunnel (Virtual Private Gateway side) |
vpn_connection_tunnel2_address | The public IP address of the second VPN tunnel |
vpn_connection_tunnel2_cgw_inside_address | The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway side) |
vpn_connection_tunnel2_vgw_inside_address | The RFC 6890 link-local address of the second VPN tunnel (Virtual Private Gateway side) |
vpn_gateway_id | Virtual Private Gateway ID |
Module managed by DNX Solutions.
Apache 2 Licensed. See LICENSE for full details.