Merge pull request #1 from cagataygurturk/initial

Initial

.github/workflows/terraform-docs.yml

@@ -0,0 +1,17 @@
+name: Generate terraform docs
+on:
+  - pull_request
+
+jobs:
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Render terraform docs and push changes back to PR
+        uses: terraform-docs/gh-actions@main
+        with:
+          working-dir: .
+          git-push: "true"

.github/workflows/terraform-fmt.yml

@@ -0,0 +1,17 @@
+name: Generate terraform docs
+on:
+  - pull_request
+
+jobs:
+  format:
+    runs-on: ubuntu-latest
+    name: Terraform Format Check
+    steps:
+      - name: Setup terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: ${{ inputs.terraform_version }}
+
+      - name: Terraform fmt check
+        run: terraform fmt -check -diff -recursive
+        id: fmt

.gitignore

@@ -0,0 +1,36 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+.idea

.terraform-docs.yml

@@ -0,0 +1,12 @@
+formatter: "markdown"
+output:
+  file: "README.md"
+  mode: inject
+
+sections:
+  hide:
+    - resources
+    - modules
+
+header-from: docs/.header.md
+footer-from: docs/.footer.md

README.md

@@ -0,0 +1,64 @@
+<!-- BEGIN_TF_DOCS -->
+# HA VPN between GCP and OCI
+
+This repository contains a drop-in Terraform module that sets up a HA VPN between Azure and Oracle Cloud Infrastructure (OCI).
+
+## Features:
+
+- On GCP side a HA VPN is set up with two or four tunnels. (See [documentation](https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-ha-vpn))
+- On OCI side two Site-to-Site VPN connections are set up with two connections.
+- Both sides are configured to establish BGP sessions between each other, so two platforms automatically learn the routes from each other.
+- Proper routes are propagated from the GCP side to enable Private Google Access from OCI.
+
+## Installation
+
+On OCI side: A compartment, a DRG
+On GCP side: A project, a VPC network
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_google"></a> [google](#requirement\_google) | >= 3.30.0, < 5.0 |
+| <a name="requirement_oci"></a> [oci](#requirement\_oci) | ~> 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | >= 3.30.0, < 5.0 |
+| <a name="provider_oci"></a> [oci](#provider\_oci) | ~> 5.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_compute_network.vpc](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_network) | data source |
+| [google_project.gcp_project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
+| [oci_core_ipsec_connection_tunnels.gcp](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/data-sources/core_ipsec_connection_tunnels) | data source |
+| [oci_identity_compartment.compartment](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/data-sources/identity_compartment) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_four_tunnels_redundancy"></a> [four\_tunnels\_redundancy](#input\_four\_tunnels\_redundancy) | Whether to deploy four tunnels or not. When set to `false`, only two tunnels are established. | `bool` | `false` | no |
+| <a name="input_gcp_asn"></a> [gcp\_asn](#input\_gcp\_asn) | Specifies the ASN of GCP side of the BGP session | `number` | `65516` | no |
+| <a name="input_gcp_network_name"></a> [gcp\_network\_name](#input\_gcp\_network\_name) | Specifies the name of the VPC the VPN will be located in | `string` | n/a | yes |
+| <a name="input_gcp_project_id"></a> [gcp\_project\_id](#input\_gcp\_project\_id) | Specifies the project ID of Google project the VPN will be located in | `string` | n/a | yes |
+| <a name="input_gcp_vpn_region"></a> [gcp\_vpn\_region](#input\_gcp\_vpn\_region) | Specifies the GCP region the VPN will be located in | `string` | n/a | yes |
+| <a name="input_oci_compartment_id"></a> [oci\_compartment\_id](#input\_oci\_compartment\_id) | OCID of the compartment where the VPN will be created | `string` | n/a | yes |
+| <a name="input_oci_drg_id"></a> [oci\_drg\_id](#input\_oci\_drg\_id) | OCID of the DRG (Dynamic Routing Gateway) where the VPN will be connected to | `string` | n/a | yes |
+| <a name="input_shared_secret"></a> [shared\_secret](#input\_shared\_secret) | Shared secret for the VPN connection. When left empty, a random secret is created and shared between GCP and OCI. | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_shared_secret"></a> [shared\_secret](#output\_shared\_secret) | Shared Secret that was used to establish the VPN connection |
+
+## License
+
+[Apache License 2.0](LICENSE)
+<!-- END_TF_DOCS -->

docs/.footer.md

@@ -0,0 +1,3 @@
+## License
+
+[Apache License 2.0](LICENSE)

docs/.header.md

@@ -0,0 +1,15 @@
+# HA VPN between GCP and OCI
+
+This repository contains a drop-in Terraform module that sets up a HA VPN between Azure and Oracle Cloud Infrastructure (OCI).
+
+## Features:
+
+- On GCP side a HA VPN is set up with two or four tunnels. (See [documentation](https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-ha-vpn))
+- On OCI side two Site-to-Site VPN connections are set up with two connections.
+- Both sides are configured to establish BGP sessions between each other, so two platforms automatically learn the routes from each other.
+- Proper routes are propagated from the GCP side to enable Private Google Access from OCI.
+
+## Installation 
+
+On OCI side: A compartment, a DRG
+On GCP side: A project, a VPC network

gcp.tf

@@ -0,0 +1,136 @@
+data "google_project" "gcp_project" {
+  project_id = var.gcp_project_id
+}
+
+data "google_compute_network" "vpc" {
+  project = data.google_project.gcp_project.project_id
+  name    = var.gcp_network_name
+}
+
+
+resource "google_compute_ha_vpn_gateway" "ha_gateway" {
+  name    = "to-oci"
+  project = data.google_project.gcp_project.project_id
+  region  = var.gcp_vpn_region
+  network = data.google_compute_network.vpc.name
+}
+
+resource "google_compute_external_vpn_gateway" "external_gateway" {
+  count           = 2
+  name            = "oci-${count.index + 1}"
+  project         = data.google_project.gcp_project.project_id
+  redundancy_type = "TWO_IPS_REDUNDANCY"
+
+  interface {
+    id         = "0"
+    ip_address = data.oci_core_ipsec_connection_tunnels.gcp[count.index].ip_sec_connection_tunnels[0].vpn_ip
+  }
+
+  interface {
+    id         = "1"
+    ip_address = data.oci_core_ipsec_connection_tunnels.gcp[count.index].ip_sec_connection_tunnels[1].vpn_ip
+  }
+}
+
+
+resource "google_compute_router" "router" {
+
+  name    = "vpn-to-oci"
+  project = data.google_project.gcp_project.project_id
+  region  = var.gcp_vpn_region
+  network = data.google_compute_network.vpc.name
+  bgp {
+    advertise_mode    = "CUSTOM"
+    advertised_groups = ["ALL_SUBNETS"]
+    advertised_ip_ranges {
+      range       = "199.36.153.8/30"
+      description = "private.googleapis.com"
+    }
+    advertised_ip_ranges {
+      range       = "199.36.153.4/30"
+      description = "restricted.googleapis.com"
+    }
+    asn = var.gcp_asn
+  }
+}
+
+
+resource "google_compute_vpn_tunnel" "tunnels_primary" {
+  depends_on = [
+    oci_core_ipsec_connection_tunnel_management.primary,
+  ]
+  count                           = 2
+  project                         = data.google_project.gcp_project.project_id
+  region                          = var.gcp_vpn_region
+  name                            = "oci-primary-${count.index + 1}"
+  router                          = google_compute_router.router.id
+  peer_external_gateway           = google_compute_external_vpn_gateway.external_gateway[count.index].id
+  peer_external_gateway_interface = 0
+  vpn_gateway_interface           = count.index
+  ike_version                     = 2
+  shared_secret                   = local.shared_secret
+  vpn_gateway                     = google_compute_ha_vpn_gateway.ha_gateway.self_link
+}
+
+
+resource "google_compute_vpn_tunnel" "tunnels_secondary" {
+  depends_on = [
+    oci_core_ipsec_connection_tunnel_management.secondary,
+  ]
+  count                           = var.four_tunnels_redundancy ? 2 : 0
+  project                         = data.google_project.gcp_project.project_id
+  region                          = var.gcp_vpn_region
+  name                            = "oci-secondary-${count.index + 1}"
+  router                          = google_compute_router.router.id
+  peer_external_gateway           = google_compute_external_vpn_gateway.external_gateway[count.index].id
+  peer_external_gateway_interface = 1
+  vpn_gateway_interface           = count.index
+  ike_version                     = 2
+  shared_secret                   = local.shared_secret
+  vpn_gateway                     = google_compute_ha_vpn_gateway.ha_gateway.self_link
+}
+
+resource "google_compute_router_interface" "router_interface_primary" {
+  count      = 2
+  project    = data.google_project.gcp_project.project_id
+  region     = var.gcp_vpn_region
+  name       = "oci-primary-${count.index + 1}"
+  router     = google_compute_router.router.name
+  vpn_tunnel = google_compute_vpn_tunnel.tunnels_primary[count.index].name
+}
+
+resource "google_compute_router_interface" "router_interface_secondary" {
+  count      = var.four_tunnels_redundancy ? 2 : 0
+  project    = data.google_project.gcp_project.project_id
+  region     = var.gcp_vpn_region
+  name       = "oci-secondary-${count.index + 1}"
+  router     = google_compute_router.router.name
+  vpn_tunnel = google_compute_vpn_tunnel.tunnels_secondary[count.index].name
+}
+
+
+
+resource "google_compute_router_peer" "bgp_peer_primary" {
+  count           = 2
+  project         = data.google_project.gcp_project.project_id
+  region          = var.gcp_vpn_region
+  name            = "oci-primary-${count.index + 1}"
+  router          = google_compute_router.router.name
+  ip_address      = "169.254.2${count.index + 1}.1" #oci_core_ipsec_connection_tunnel_management.primary[count.index].bgp_session_info[0].customer_interface_ip
+  peer_ip_address = "169.254.2${count.index + 1}.2" #oci_core_ipsec_connection_tunnel_management.primary[count.index].bgp_session_info[0].oracle_interface_ip
+  peer_asn        = oci_core_ipsec_connection_tunnel_management.primary[count.index].bgp_session_info[0].oracle_bgp_asn
+  interface       = google_compute_router_interface.router_interface_primary[count.index].name
+}
+
+
+resource "google_compute_router_peer" "bgp_peer_secondary" {
+  count           = var.four_tunnels_redundancy ? 2 : 0
+  project         = data.google_project.gcp_project.project_id
+  region          = var.gcp_vpn_region
+  name            = "oci-secondary-${count.index + 1}"
+  router          = google_compute_router.router.name
+  ip_address      = "169.254.3${count.index + 1}.1" #oci_core_ipsec_connection_tunnel_management.primary[count.index].bgp_session_info[0].customer_interface_ip
+  peer_ip_address = "169.254.3${count.index + 1}.2" #oci_core_ipsec_connection_tunnel_management.primary[count.index].bgp_session_info[0].oracle_interface_ip
+  peer_asn        = oci_core_ipsec_connection_tunnel_management.secondary[count.index].bgp_session_info[0].oracle_bgp_asn
+  interface       = google_compute_router_interface.router_interface_secondary[count.index].name
+}

main.tf

@@ -0,0 +1,28 @@
+terraform {
+  required_providers {
+    oci = {
+      version = "~> 5.0"
+    }
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 3.30.0, < 5.0"
+    }
+  }
+}
+
+resource "random_password" "shared_secret" {
+  count   = var.shared_secret == null ? 1 : 0
+  length  = 16
+  lower   = true
+  special = false
+}
+
+locals {
+  shared_secret = var.shared_secret == null ? random_password.shared_secret[0].result : var.shared_secret
+}
+
+output "shared_secret" {
+  sensitive   = true
+  value       = local.shared_secret
+  description = "Shared Secret that was used to establish the VPN connection"
+}