diff --git a/vpn-transit-gateway/README.md b/vpn-transit-gateway/README.md
index 25b1596..98b53a3 100644
--- a/vpn-transit-gateway/README.md
+++ b/vpn-transit-gateway/README.md
@@ -54,6 +54,7 @@ module "vpn_transit-gateway" {
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >= 3.66.0 |
+| [null](#provider\_null) | >= 3.0 |
| [random](#provider\_random) | >= 3.0 |
## Modules
@@ -71,6 +72,8 @@ No modules.
| [aws_ec2_transit_gateway_route_table_association.route_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource |
| [aws_ec2_transit_gateway_route_table_propagation.propagate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |
| [aws_vpn_connection.vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_connection) | resource |
+| [null_resource.directory_setup](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.generate_configs](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [random_string.tunnel_preshared_key](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
diff --git a/vpn-transit-gateway/outputs.tf b/vpn-transit-gateway/outputs.tf
index 277b738..9475520 100644
--- a/vpn-transit-gateway/outputs.tf
+++ b/vpn-transit-gateway/outputs.tf
@@ -1,36 +1,44 @@
+# output "vpn_tunnel_endpoints" {
+# description = "VPN Tunnel Endpoint IP Addresses"
+# value = { for k, v in local.vpn_settings : k => {
+# site = v.site
+# environment = v.environment
+# sequence = v.sequence
+# label = v.label
+# full_label = format("aws:%v:%v:%v:%v", local.region, local.account_id, aws_vpn_connection.vpn[k].id, v.label)
+# customer_address = aws_customer_gateway.vpn[k].ip_address
+# bgp_asn = aws_customer_gateway.vpn[k].bgp_asn
+# vpn_connection_id = aws_vpn_connection.vpn[k].id
+#
+# tunnel1_bgp_asn = aws_vpn_connection.vpn[k].tunnel1_bgp_asn
+# tunnel1_address = aws_vpn_connection.vpn[k].tunnel1_address
+# tunnel1_inside_cidr = aws_vpn_connection.vpn[k].tunnel1_inside_cidr
+# tunnel1_cgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_cgw_inside_address
+# tunnel1_vgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_vgw_inside_address
+#
+# tunnel2_bgp_asn = aws_vpn_connection.vpn[k].tunnel2_bgp_asn
+# tunnel2_address = aws_vpn_connection.vpn[k].tunnel2_address
+# tunnel2_inside_cidr = aws_vpn_connection.vpn[k].tunnel2_inside_cidr
+# tunnel2_cgw_inside_address = aws_vpn_connection.vpn[k].tunnel2_cgw_inside_address
+# tunnel2_vgw_inside_address = aws_vpn_connection.vpn[k].tunnel2_vgw_inside_address
+# }
+# }
+# }
+
output "vpn_tunnel_endpoints" {
description = "VPN Tunnel Endpoint IP Addresses"
- value = { for k, v in local.vpn_settings : k => {
- site = v.site
- environment = v.environment
- sequence = v.sequence
- label = v.label
- full_label = format("aws:%v:%v:%v:%v", local.region, local.account_id, aws_vpn_connection.vpn[k].id, v.label)
- customer_address = aws_customer_gateway.vpn[k].ip_address
- bgp_asn = aws_customer_gateway.vpn[k].bgp_asn
-
- tunnel1_bgp_asn = aws_vpn_connection.vpn[k].tunnel1_bgp_asn
- tunnel1_address = aws_vpn_connection.vpn[k].tunnel1_address
- tunnel1_inside_cidr = aws_vpn_connection.vpn[k].tunnel1_inside_cidr
- tunnel1_cgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_cgw_inside_address
- tunnel1_vgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_vgw_inside_address
-
- tunnel2_bgp_asn = aws_vpn_connection.vpn[k].tunnel2_bgp_asn
- tunnel2_address = aws_vpn_connection.vpn[k].tunnel2_address
- tunnel2_inside_cidr = aws_vpn_connection.vpn[k].tunnel2_inside_cidr
- tunnel2_cgw_inside_address = aws_vpn_connection.vpn[k].tunnel2_cgw_inside_address
- tunnel2_vgw_inside_address = aws_vpn_connection.vpn[k].tunnel2_vgw_inside_address
- }
- }
+ value = local.vpn_tunnel_outputs
}
output "vpn_labels" {
description = "VPN Labels for Description field of Endpoint device (Cisco ASR)"
- value = { for k, v in local.vpn_settings : k => {
+ # value = { for k, v in local.vpn_settings : k => {
+ value = { for k, v in local.vpn_tunnel_outputs : k => {
site = v.site
environment = v.environment
sequence = v.sequence
- label = format("aws:%v:%v:%v:%v", local.region, local.account_id, aws_vpn_connection.vpn[k].id, v.label)
+ # label = format("aws:%v:%v:%v:%v", local.region, local.account_id, aws_vpn_connection.vpn[k].id, v.label)
+ label = v.label
}
}
}
diff --git a/vpn-transit-gateway/templates/vpn-config.yml.tmpl b/vpn-transit-gateway/templates/vpn-config.yml.tmpl
new file mode 100644
index 0000000..532ac57
--- /dev/null
+++ b/vpn-transit-gateway/templates/vpn-config.yml.tmpl
@@ -0,0 +1,157 @@
+vrf: ${vrf}
+cloud_provider: aws
+aws:
+ region_full: ${region_full}
+ region_short: ${region_short}
+ vpc_full_name: ${vpc_full_name}
+ vpc_suffix: ${vpc_name}
+ vpc_number: ${vpc_number}
+ vpc_cidr_block: ${vpc_cidr_block}
+ vpn_connection_id: ${vpn_connection_id}
+ vpn_connection_description: ${vpn_connection_description}
+ tunnels:
+ - tunnel1:
+ description: ${vpc_connection_description}
+%{ for k,v in tunnel1 }
+ ${k}: ${v}
+%{ endfor ~}
+ - tunnel2:
+ description: ${vpc_connection_description}
+%{ for k,v in tunnel2 }
+ ${k}: ${v}
+%{ endfor ~}
+
+## tunnel1_bgp_asn = aws_vpn_connection.vpn[k].tunnel1_bgp_asn
+## tunnel1_address = aws_vpn_connection.vpn[k].tunnel1_address
+## tunnel1_inside_cidr = aws_vpn_connection.vpn[k].tunnel1_inside_cidr
+## tunnel1_cgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_cgw_inside_address
+## tunnel1_vgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_vgw_inside_address
+##
+
+asr:
+ site: ${site}
+# device_name: hqnt-r1-cld-vpn-rtr1
+ device_name: bccm2-dmz-r68-cld-vpn-rtr1
+ loopback_number: 132
+ tunnel_interface_numbers:
+ - 1527
+ - 1528
+ prefixlist_sequence:
+ - 250
+ - 260
+
+##
+## vpc_name = "common"
+## vpc_cidr_block = "10.128.0.0/23"
+## vpc_index = "1"
+## vpc_short_name = "vpc1"
+## vpc_full_name = "vpc1-common"
+## vpc_environment = "common"
+## vpc_domain_name = "common.ma4-gov.sandbox.census.gov"
+## vpc_dns_servers = ["148.129.127.22", "148.129.191.22"]
+## vpc_ntp_servers = ["148.129.127.23", "148.129.191.23"]
+## vpc_enable_igw = false
+## vpc_enable_nat = false
+## vpc_enable_vpn = false
+## vpc_enable_awsdns = true
+##
+## vpn_settings = []
+## tgw_environment = "services"
+##
+## {
+# site = site
+## vrf = var.tgw_environment
+## region_full = local.region
+## region_short = transpose var.region_map, get region_full
+## vpc_full_name = var.vpc_full_name
+## vpc_name = var.vpc_name
+## vpc_number = var.vpc_index
+## vpc_cidr_block = var.vpc_cidr_block
+## vpn_connection_id = aws_vpn_connection.vpn[k].id
+## vpn_connection_description = format(...)
+## vpn_connection = aws_vpn_connection.vpn[k]
+
+## fields = [ "inside_cidr", "address", "cgw_inside_addres", "vgw_inside_address", "bgp_asn", "preshared_key" ]
+# preshared_key:
+# inside_cidr:
+# # dest ip
+# address:
+# # bgp peer
+# vgw_inside_address:
+# # ip
+# cgw_inside_address:
+# bgp_asn:
+#
+##
+##
+## transpose, var.region_map
+##
+## "hq-services-4" = {
+## "bgp_asn" = "65510"
+## "customer_address" = "148.129.163.25"
+## "environment" = "services"
+## "full_label" = "aws:us-gov-east-1:817869416306:vpn-0937e27de0e6c0441:hq-services-4"
+## "label" = "hq-services-4"
+## "sequence" = 4
+## "site" = "hq"
+## "tunnel1_address" = "18.252.255.171"
+## "tunnel1_bgp_asn" = "64513"
+## "tunnel1_cgw_inside_address" = "169.254.8.26"
+## "tunnel1_inside_cidr" = "169.254.8.24/30"
+## "tunnel1_vgw_inside_address" = "169.254.8.25"
+## "tunnel2_address" = "18.253.223.173"
+## "tunnel2_bgp_asn" = "64513"
+## "tunnel2_cgw_inside_address" = "169.254.8.30"
+## "tunnel2_inside_cidr" = "169.254.8.28/30"
+## "tunnel2_vgw_inside_address" = "169.254.8.29"
+## }
+##
+##
+## output "vpn_tunnel_endpoints" {
+## description = "VPN Tunnel Endpoint IP Addresses"
+## value = { for k, v in local.vpn_settings : k => {
+## site = v.site
+## environment = v.environment
+## sequence = v.sequence
+## label = v.label
+## full_label = format("aws:%v:%v:%v:%v", local.region, local.account_id, aws_vpn_connection.vpn[k].id, v.label)
+## customer_address = aws_customer_gateway.vpn[k].ip_address
+## bgp_asn = aws_customer_gateway.vpn[k].bgp_asn
+##
+## tunnel1_bgp_asn = aws_vpn_connection.vpn[k].tunnel1_bgp_asn
+## tunnel1_address = aws_vpn_connection.vpn[k].tunnel1_address
+## tunnel1_inside_cidr = aws_vpn_connection.vpn[k].tunnel1_inside_cidr
+## tunnel1_cgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_cgw_inside_address
+## tunnel1_vgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_vgw_inside_address
+##
+## tunnel2_bgp_asn = aws_vpn_connection.vpn[k].tunnel2_bgp_asn
+## tunnel2_address = aws_vpn_connection.vpn[k].tunnel2_address
+## tunnel2_inside_cidr = aws_vpn_connection.vpn[k].tunnel2_inside_cidr
+## tunnel2_cgw_inside_address = aws_vpn_connection.vpn[k].tunnel2_cgw_inside_address
+## tunnel2_vgw_inside_address = aws_vpn_connection.vpn[k].tunnel2_vgw_inside_address
+## }
+## }
+## }
+##
+## output "vpn_labels" {
+## description = "VPN Labels for Description field of Endpoint device (Cisco ASR)"
+## value = { for k, v in local.vpn_settings : k => {
+## site = v.site
+## environment = v.environment
+## sequence = v.sequence
+## label = format("aws:%v:%v:%v:%v", local.region, local.account_id, aws_vpn_connection.vpn[k].id, v.label)
+## }
+## }
+## }
+
+# description:
+# preshared_key:
+# inside_cidr:
+# # dest ip
+# address:
+# # bgp peer
+# vgw_inside_address:
+# # ip
+# cgw_inside_address:
+# bgp_asn:
+#
diff --git a/vpn-transit-gateway/vpn-config.tf b/vpn-transit-gateway/vpn-config.tf
new file mode 100644
index 0000000..df1059d
--- /dev/null
+++ b/vpn-transit-gateway/vpn-config.tf
@@ -0,0 +1,49 @@
+locals {
+ vpn_tunnel_outputs = { for k, v in local.vpn_settings : k => {
+ site = v.site
+ environment = v.environment
+ sequence = v.sequence
+ label = v.label
+ full_label = format("aws:%v:%v:%v:%v", local.region, local.account_id, aws_vpn_connection.vpn[k].id, v.label)
+ customer_address = aws_customer_gateway.vpn[k].ip_address
+ bgp_asn = aws_customer_gateway.vpn[k].bgp_asn
+ vpn_connection_id = aws_vpn_connection.vpn[k].id
+
+ tunnel1_bgp_asn = aws_vpn_connection.vpn[k].tunnel1_bgp_asn
+ tunnel1_address = aws_vpn_connection.vpn[k].tunnel1_address
+ tunnel1_inside_cidr = aws_vpn_connection.vpn[k].tunnel1_inside_cidr
+ tunnel1_cgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_cgw_inside_address
+ tunnel1_vgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_vgw_inside_address
+
+ tunnel2_bgp_asn = aws_vpn_connection.vpn[k].tunnel2_bgp_asn
+ tunnel2_address = aws_vpn_connection.vpn[k].tunnel2_address
+ tunnel2_inside_cidr = aws_vpn_connection.vpn[k].tunnel2_inside_cidr
+ tunnel2_cgw_inside_address = aws_vpn_connection.vpn[k].tunnel2_cgw_inside_address
+ tunnel2_vgw_inside_address = aws_vpn_connection.vpn[k].tunnel2_vgw_inside_address
+ }
+ }
+}
+
+resource "null_resource" "directory_setup" {
+ provisioner "local-exec" {
+ working_dir = path.root
+ command = "test -d vpn-configs || ( mkdir vpn-configs; echo vpn-configs >> .gitignore )"
+ }
+}
+
+# https://aws.amazon.com/premiumsupport/knowledge-center/vpn-download-example-configuration-files/
+# id 48548f98 is cisco asr 1000
+resource "null_resource" "generate_configs" {
+ for_each = var.create ? local.vpn_tunnel_outputs : {}
+ triggers = {
+ directory_setup = null_resource.directory_setup.id
+ }
+ provisioner "local-exec" {
+ working_dir = "${path.root}/vpn-configs"
+ command = "aws ec2 get-vpn-connection-device-sample-configuration --vpn-connection-id ${each.value.vpn_connection_id} --vpn-connection-device-type-id 48548f98 --internet-key-exchange-version ikev1 --output text > ${each.value.label}.${each.value.vpn_connection_id}.txt"
+ environment = {
+ AWS_PROFILE = var.profile
+ AWS_REGION = local.region
+ }
+ }
+}