Skip to content

cyber-scot/terraform-azurerm-virtual-network-gateway

BranchesTags

Repository files navigation

resource "azurerm_public_ip" "pip" {
  count = var.create_public_ip == true ? 1 : 0

  name                = var.public_ip_name != null ? var.public_ip_name : "pip-${var.name}"
  location            = var.location
  resource_group_name = var.rg_name
  allocation_method   = var.public_ip_allocation_method != null ? var.public_ip_allocation_method : "Static"
  sku                 = var.public_ip_sku != null ? var.public_ip_sku : "Standard"
  tags                = var.tags
}

resource "azurerm_virtual_network_gateway" "vnet_gw" {
  name                = var.name
  location            = var.location
  resource_group_name = var.rg_name
  tags                = var.tags

  type                                  = var.type
  vpn_type                              = var.vpn_type
  sku                                   = var.sku
  active_active                         = var.sku == "HighPerformance" || var.sku == "UltraPerformance" ? var.active_active : false
  enable_bgp                            = var.enable_bgp
  default_local_network_gateway_id      = var.create_local_network_gateway == true ? azurerm_local_network_gateway.local_gw[0].id : var.default_local_network_gateway_id
  edge_zone                             = var.edge_zone != null ? var.edge_zone : null
  generation                            = var.generation
  private_ip_address_enabled            = var.private_ip_address_enabled != null ? var.private_ip_address_enabled : false
  dns_forwarding_enabled                = var.dns_forwarding_enabled != null ? var.dns_forwarding_enabled : false
  bgp_route_translation_for_nat_enabled = var.bgp_route_translation_for_nat_enabled != null ? var.bgp_route_translation_for_nat_enabled : false
  ip_sec_replay_protection_enabled      = var.ip_sec_replay_protection_enabled != null ? var.ip_sec_replay_protection_enabled : false
  remote_vnet_traffic_enabled           = var.remote_vnet_traffic_enabled != null ? var.remote_vnet_traffic_enabled : false
  virtual_wan_traffic_enabled           = var.virtual_wan_traffic_enabled != null ? var.virtual_wan_traffic_enabled : false

  dynamic "policy_group" {
    for_each = var.policy_group != null ? var.policy_group : null
    content {
      name       = policy_group.value.name
      is_default = policy_group.value.is_default
      priority   = policy_group.value.priority

      dynamic "policy_member" {
        for_each = policy_group.value.policy_member != null ? policy_group.value.policy_member : null
        content {
          name  = policy_member.value.name
          type  = policy_member.value.type
          value = policy_member.value.value
        }
      }
    }
  }

  dynamic "ip_configuration" {
    for_each = var.ip_configuration != null ? var.ip_configuration : null
    content {
      name                          = ip_configuration.value.name != null ? ip_configuration.value.name : "ipconfig-${var.name}"
      public_ip_address_id          = var.create_public_ip == true ? azurerm_public_ip.pip[0].id : ip_configuration.value.public_ip_address_id
      private_ip_address_allocation = ip_configuration.value.private_ip_address_allocation != null ? ip_configuration.value.private_ip_address_allocation : "Dynamic"
      subnet_id                     = ip_configuration.value.subnet_id
    }
  }

  dynamic "bgp_settings" {
    for_each = var.bgp_settings != null ? var.bgp_settings : null
    content {
      asn         = bgp_settings.value.asn
      peer_weight = bgp_settings.value.peer_weight

      dynamic "peering_addresses" {
        for_each = bgp_settings.value.peering_addresses != null ? bgp_settings.value.peering_addresses : null
        content {
          ip_configuration_name = peering_addresses.value.ip_configuration_name
          apipa_addresses       = peering_addresses.value.apipa_addresses != null ? peering_addresses.value.apipa_addresses : null
        }
      }
    }
  }

  dynamic "custom_route" {
    for_each = var.custom_route != null ? var.custom_route : null
    content {
      address_prefixes = custom_route.value.address_prefixes
    }
  }

  dynamic "vpn_client_configuration" {
    for_each = var.vpn_client_configuration
    content {
      address_space         = vpn_client_configuration.value.address_space
      aad_tenant            = vpn_client_configuration.value.aad_tenant_url
      aad_audience          = vpn_client_configuration.value.aad_audience
      aad_issuer            = vpn_client_configuration.value.aad_issuer
      radius_server_address = vpn_client_configuration.value.radius_server_address
      radius_server_secret  = vpn_client_configuration.value.radius_server_secret
      vpn_client_protocols  = vpn_client_configuration.value.vpn_client_protocols
      vpn_auth_types        = vpn_client_configuration.value.vpn_auth_types

      dynamic "virtual_network_gateway_client_connection" {
        for_each = vpn_client_configuration.value.virtual_network_gateway_client_connection
        content {
          name               = virtual_network_gateway_client_connection.value.name
          policy_group_names = virtual_network_gateway_client_connection.value.policy_group_name
          address_prefixes   = virtual_network_gateway_client_connection.value.address_prefixes
        }
      }

      dynamic "radius_server" {
        for_each = vpn_client_configuration.value.radius_server
        content {
          score   = radius_server.value.score
          address = radius_server.value.address
          secret  = radius_server.value.secret
        }
      }

      dynamic "root_certificate" {
        for_each = vpn_client_configuration.value.root_certificate
        content {
          name             = root_certificate.value.name
          public_cert_data = root_certificate.value.data
        }
      }

      dynamic "revoked_certificate" {
        for_each = vpn_client_configuration.value.revoked_certificate
        content {
          name       = revoked_certificate.value.name
          thumbprint = revoked_certificate.value.thumbprint
        }
      }

      dynamic "ipsec_policy" {
        for_each = vpn_client_configuration.value.ipsec_policy
        content {
          sa_lifetime_in_seconds    = ipsec_policy.value.sa_lifetime_in_seconds
          sa_data_size_in_kilobytes = ipsec_policy.value.sa_data_size_in_kilobytes
          ipsec_encryption          = ipsec_policy.value.ipsec_encryption
          ipsec_integrity           = ipsec_policy.value.ipsec_integrity
          ike_encryption            = ipsec_policy.value.ike_encryption
          ike_integrity             = ipsec_policy.value.ike_integrity
          dh_group                  = ipsec_policy.value.dh_group
          pfs_group                 = ipsec_policy.value.pfs_group
        }
      }
    }
  }
}


resource "azurerm_local_network_gateway" "local_gw" {
  count               = var.create_local_network_gateway == true ? 1 : 0
  name                = var.local_network_gateway_name != null ? var.local_network_gateway_name : "local-gw-${var.name}"
  resource_group_name = var.rg_name
  location            = var.location
  gateway_address     = var.local_network_gateway_fqdn == null ? var.gateway_address : null
  gateway_fqdn        = var.local_network_gateway_address == null ? var.gateway_fqdn : null
  address_space       = var.local_network_gateway_address_space

  dynamic "bgp_settings" {
    for_each = var.local_network_gateway_bgp_settings
    content {
      asn                 = bgp_settings.value.asn
      bgp_peering_address = bgp_settings.value.bgp_peering_address
      peer_weight         = bgp_settings.value.peer_weight
    }
  }
}

Requirements

No requirements.

Providers

Name Version
azurerm n/a

Modules

No modules.

Resources

Name Type
azurerm_local_network_gateway.local_gw resource
azurerm_public_ip.pip resource
azurerm_virtual_network_gateway.vnet_gw resource

Inputs

Name Description Type Default Required
active_active Whether to create an active-active gateway or not bool false no
bgp_route_translation_for_nat_enabled Whether BGP route transaltion for NAT is enabled on the VNet gateway bool false no
bgp_settings The BGP settings block, if used 
list(object({
    asn = optional(number)
    peering_address = optional(list(object({
      ip_configuration_name = optional(string)
      apipa_addresses       = optional(list(string))
    })))
    peer_weight = optional(number, 1)
  }))
 [] no
create_local_network_gateway Whether to create a local network gateway or not bool false no
create_public_ip Whether to create a public IP, or bring your own bool true no
custom_route The custom route block, if used 
list(object({
    address_prefixes = optional(list(string))
  }))
 [] no
default_local_network_gateway_id The ID of the default local network gateway string null no
dns_forwarding_enabled Whether DNS forwarding is enabled on the VNet gateway bool true no
edge_zone The edge zone for the VNet to be deployed string null no
enable_bgp Whether BGP should be enabled on the VNet gateway bool false no
generation The generation of the VNet gateway, can either be Generation1 or Generation2 or None string "Generation2" no
ip_configuration The IP configuration block of the VNet gateway 
list(object({
    name                          = optional(string),
    public_ip_address_id          = optional(string)
    private_ip_address_allocation = optional(string, "Dynamic")
    subnet_id                     = optional(string)
  }))
 n/a yes
ip_sec_replay_protection_enabled Whether IP Sec replay protection is enabled on the VNet gateway bool true no
local_network_gateway_address The address of the local network gateway string null no
local_network_gateway_address_space The address space of the local network gateway list(string) [] no
local_network_gateway_bgp_settings The BGP settings block, if used 
list(object({
    asn                 = optional(number)
    bgp_peering_address = optional(string)
    peer_weight         = optional(number, 1)
  }))
 [] no
local_network_gateway_fqdn The FQDN of the local network gateway string null no
local_network_gateway_name The name of the local network gateway string null no
location The location for this resource to be put in string n/a yes
name The name of the VNet gateway string n/a yes
policy_group The policy group block, if used 
list(object({
    name = string
    policy_member = list(object({
      name  = string
      type  = string
      value = string
    }))
    is_default = optional(bool, false)
    priority   = optional(number, 0)
  }))
 [] no
private_ip_address_enabled Whether private IP address is enabled on the VNet gateway bool false no
public_ip_allocation_method The allocation method of the public ip string null no
public_ip_name The name of the public IP string null no
public_ip_sku The sku of the public ip string null no
remote_vnet_traffic_enabled Whether remote VNet traffic is enabled on the VNet gateway bool false no
rg_name The name of the resource group, this module does not create a resource group, it is expecting the value of a resource group already exists string n/a yes
sku The SKU of the VNet gateway string n/a yes
tags A map of the tags to use on the resources that are deployed with this module. map(string) n/a yes
type The type of VPN gateway to create, either Vpn or ExpressRoute string n/a yes
virtual_wan_traffic_enabled Whether virtual wan traffic is enabled on the VNet gateway bool false no
vpn_client_configuration The VPN client configuration block, if used 
list(object({
    address_space  = string
    aad_tenant_url = optional(string)
    aad_audience   = optional(string)
    aad_issuer     = optional(string)

    ipsec_policy = optional(object({
      sa_data_size_in_kilobytes = number
      sa_lifetime_in_seconds    = number
      ipsec_encryption          = string
      ipsec_integrity           = string
      ike_encryption            = string
      ike_integrity             = string
      dh_group                  = string
      pfs_group                 = string
    }))
    radius_server = optional(list(object({
      address = string
      secret  = string
      score   = number
    })))
    radius_server_address = optional(string)
    radius_server_secret  = optional(string)
    root_certificate = optional(list(object({
      name             = string
      public_cert_data = string
    })))
    revoked_certificate = optional(list(object({
      name       = string
      thumbprint = string
    })))
    vpn_client_protocols = optional(list(string))
    vpn_auth_type        = optional(list(string))
    virtual_network_gateway_client_connection = optional(list(object({
      name              = string
      policy_group_name = list(string)
      address_prefixes  = list(string)
    })))
  }))
 [] no
vpn_type The VPN type, can either be RouteBased or PolicyBased string n/a yes

Outputs

Name Description
public_ip_address The actual IP address of the Public IP.
public_ip_id The ID of the Public IP.
public_ip_name The name of the Public IP.
virtual_network_gateway_bgp_peering_addresses A list of peering_addresses for the BGP peer of the Virtual Network Gateway.
virtual_network_gateway_bgp_settings A block of bgp_settings of the Virtual Network Gateway.
virtual_network_gateway_default_addresses A list of peering address assigned to the BGP peer of the Virtual Network Gateway.
virtual_network_gateway_id The ID of the Virtual Network Gateway.
virtual_network_gateway_tunnel_ip_addresses A list of tunnel IP addresses assigned to the BGP peer of the Virtual Network Gateway.

About

A module used to deploy a VNet gateway πŸ”β¬…οΈ

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages