From 7cbc189144dbb46c8ee2c4014547eb6f9ea8157b Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Fri, 4 Mar 2022 09:14:23 -0500
Subject: [PATCH] add vpn-config creation

---
 vpn-transit-gateway/README.md                 |   3 +
 vpn-transit-gateway/outputs.tf                |  56 ++++---
 .../templates/vpn-config.yml.tmpl             | 157 ++++++++++++++++++
 vpn-transit-gateway/vpn-config.tf             |  49 ++++++
 4 files changed, 241 insertions(+), 24 deletions(-)
 create mode 100644 vpn-transit-gateway/templates/vpn-config.yml.tmpl
 create mode 100644 vpn-transit-gateway/vpn-config.tf

diff --git a/vpn-transit-gateway/README.md b/vpn-transit-gateway/README.md
index 25b1596..98b53a3 100644
--- a/vpn-transit-gateway/README.md
+++ b/vpn-transit-gateway/README.md
@@ -54,6 +54,7 @@ module "vpn_transit-gateway" {
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | >= 3.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
 
 ## Modules
@@ -71,6 +72,8 @@ No modules.
 | [aws_ec2_transit_gateway_route_table_association.route_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource |
 | [aws_ec2_transit_gateway_route_table_propagation.propagate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |
 | [aws_vpn_connection.vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_connection) | resource |
+| [null_resource.directory_setup](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.generate_configs](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [random_string.tunnel_preshared_key](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
diff --git a/vpn-transit-gateway/outputs.tf b/vpn-transit-gateway/outputs.tf
index 277b738..9475520 100644
--- a/vpn-transit-gateway/outputs.tf
+++ b/vpn-transit-gateway/outputs.tf
@@ -1,36 +1,44 @@
+# output "vpn_tunnel_endpoints" {
+#   description = "VPN Tunnel Endpoint IP Addresses"
+#   value = { for k, v in local.vpn_settings : k => {
+#     site             = v.site
+#     environment      = v.environment
+#     sequence         = v.sequence
+#     label            = v.label
+#     full_label       = format("aws:%v:%v:%v:%v", local.region, local.account_id, aws_vpn_connection.vpn[k].id, v.label)
+#     customer_address = aws_customer_gateway.vpn[k].ip_address
+#     bgp_asn          = aws_customer_gateway.vpn[k].bgp_asn
+#     vpn_connection_id = aws_vpn_connection.vpn[k].id
+# 
+#     tunnel1_bgp_asn            = aws_vpn_connection.vpn[k].tunnel1_bgp_asn
+#     tunnel1_address            = aws_vpn_connection.vpn[k].tunnel1_address
+#     tunnel1_inside_cidr        = aws_vpn_connection.vpn[k].tunnel1_inside_cidr
+#     tunnel1_cgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_cgw_inside_address
+#     tunnel1_vgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_vgw_inside_address
+# 
+#     tunnel2_bgp_asn            = aws_vpn_connection.vpn[k].tunnel2_bgp_asn
+#     tunnel2_address            = aws_vpn_connection.vpn[k].tunnel2_address
+#     tunnel2_inside_cidr        = aws_vpn_connection.vpn[k].tunnel2_inside_cidr
+#     tunnel2_cgw_inside_address = aws_vpn_connection.vpn[k].tunnel2_cgw_inside_address
+#     tunnel2_vgw_inside_address = aws_vpn_connection.vpn[k].tunnel2_vgw_inside_address
+#     }
+#   }
+# }
+
 output "vpn_tunnel_endpoints" {
   description = "VPN Tunnel Endpoint IP Addresses"
-  value = { for k, v in local.vpn_settings : k => {
-    site             = v.site
-    environment      = v.environment
-    sequence         = v.sequence
-    label            = v.label
-    full_label       = format("aws:%v:%v:%v:%v", local.region, local.account_id, aws_vpn_connection.vpn[k].id, v.label)
-    customer_address = aws_customer_gateway.vpn[k].ip_address
-    bgp_asn          = aws_customer_gateway.vpn[k].bgp_asn
-
-    tunnel1_bgp_asn            = aws_vpn_connection.vpn[k].tunnel1_bgp_asn
-    tunnel1_address            = aws_vpn_connection.vpn[k].tunnel1_address
-    tunnel1_inside_cidr        = aws_vpn_connection.vpn[k].tunnel1_inside_cidr
-    tunnel1_cgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_cgw_inside_address
-    tunnel1_vgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_vgw_inside_address
-
-    tunnel2_bgp_asn            = aws_vpn_connection.vpn[k].tunnel2_bgp_asn
-    tunnel2_address            = aws_vpn_connection.vpn[k].tunnel2_address
-    tunnel2_inside_cidr        = aws_vpn_connection.vpn[k].tunnel2_inside_cidr
-    tunnel2_cgw_inside_address = aws_vpn_connection.vpn[k].tunnel2_cgw_inside_address
-    tunnel2_vgw_inside_address = aws_vpn_connection.vpn[k].tunnel2_vgw_inside_address
-    }
-  }
+  value       = local.vpn_tunnel_outputs
 }
 
 output "vpn_labels" {
   description = "VPN Labels for Description field of Endpoint device (Cisco ASR)"
-  value = { for k, v in local.vpn_settings : k => {
+  #  value = { for k, v in local.vpn_settings : k => {
+  value = { for k, v in local.vpn_tunnel_outputs : k => {
     site        = v.site
     environment = v.environment
     sequence    = v.sequence
-    label       = format("aws:%v:%v:%v:%v", local.region, local.account_id, aws_vpn_connection.vpn[k].id, v.label)
+    #    label       = format("aws:%v:%v:%v:%v", local.region, local.account_id, aws_vpn_connection.vpn[k].id, v.label)
+    label = v.label
     }
   }
 }
diff --git a/vpn-transit-gateway/templates/vpn-config.yml.tmpl b/vpn-transit-gateway/templates/vpn-config.yml.tmpl
new file mode 100644
index 0000000..532ac57
--- /dev/null
+++ b/vpn-transit-gateway/templates/vpn-config.yml.tmpl
@@ -0,0 +1,157 @@
+vrf: ${vrf}
+cloud_provider: aws
+aws:
+  region_full: ${region_full}
+  region_short: ${region_short}
+  vpc_full_name: ${vpc_full_name}
+  vpc_suffix: ${vpc_name}
+  vpc_number: ${vpc_number}
+  vpc_cidr_block: ${vpc_cidr_block}
+  vpn_connection_id: ${vpn_connection_id}
+  vpn_connection_description: ${vpn_connection_description}
+  tunnels:
+    - tunnel1:
+        description: ${vpc_connection_description}
+%{ for k,v in tunnel1 }
+        ${k}: ${v}
+%{ endfor ~}
+    - tunnel2:
+        description: ${vpc_connection_description}
+%{ for k,v in tunnel2 }
+        ${k}: ${v}
+%{ endfor ~}
+
+##     tunnel1_bgp_asn            = aws_vpn_connection.vpn[k].tunnel1_bgp_asn
+##     tunnel1_address            = aws_vpn_connection.vpn[k].tunnel1_address
+##     tunnel1_inside_cidr        = aws_vpn_connection.vpn[k].tunnel1_inside_cidr
+##     tunnel1_cgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_cgw_inside_address
+##     tunnel1_vgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_vgw_inside_address
+## 
+
+asr:
+  site: ${site}
+#  device_name: hqnt-r1-cld-vpn-rtr1
+  device_name: bccm2-dmz-r68-cld-vpn-rtr1
+  loopback_number: 132
+  tunnel_interface_numbers:
+    - 1527
+    - 1528
+  prefixlist_sequence:
+    - 250
+    - 260
+
+## 
+## vpc_name          = "common"
+## vpc_cidr_block    = "10.128.0.0/23"
+## vpc_index         = "1"
+## vpc_short_name    = "vpc1"
+## vpc_full_name     = "vpc1-common"
+## vpc_environment   = "common"
+## vpc_domain_name   = "common.ma4-gov.sandbox.census.gov"
+## vpc_dns_servers   = ["148.129.127.22", "148.129.191.22"]
+## vpc_ntp_servers   = ["148.129.127.23", "148.129.191.23"]
+## vpc_enable_igw    = false
+## vpc_enable_nat    = false
+## vpc_enable_vpn    = false
+## vpc_enable_awsdns = true
+## 
+## vpn_settings    = []
+## tgw_environment = "services"
+## 
+## {
+#    site = site
+##   vrf =  var.tgw_environment
+##   region_full = local.region
+##   region_short = transpose var.region_map, get region_full
+##   vpc_full_name = var.vpc_full_name
+##   vpc_name = var.vpc_name
+##   vpc_number = var.vpc_index
+##   vpc_cidr_block = var.vpc_cidr_block
+##   vpn_connection_id = aws_vpn_connection.vpn[k].id
+##   vpn_connection_description = format(...)
+##   vpn_connection = aws_vpn_connection.vpn[k]
+
+## fields = [ "inside_cidr", "address", "cgw_inside_addres", "vgw_inside_address", "bgp_asn", "preshared_key" ]
+#        preshared_key:
+#        inside_cidr:
+#      # dest ip
+#        address:
+#      # bgp peer
+#        vgw_inside_address:
+#      # ip
+#        cgw_inside_address:
+#        bgp_asn:
+#
+## 
+## 
+## transpose, var.region_map
+## 
+##   "hq-services-4" = {
+##     "bgp_asn" = "65510"
+##     "customer_address" = "148.129.163.25"
+##     "environment" = "services"
+##     "full_label" = "aws:us-gov-east-1:817869416306:vpn-0937e27de0e6c0441:hq-services-4"
+##     "label" = "hq-services-4"
+##     "sequence" = 4
+##     "site" = "hq"
+##     "tunnel1_address" = "18.252.255.171"
+##     "tunnel1_bgp_asn" = "64513"
+##     "tunnel1_cgw_inside_address" = "169.254.8.26"
+##     "tunnel1_inside_cidr" = "169.254.8.24/30"
+##     "tunnel1_vgw_inside_address" = "169.254.8.25"
+##     "tunnel2_address" = "18.253.223.173"
+##     "tunnel2_bgp_asn" = "64513"
+##     "tunnel2_cgw_inside_address" = "169.254.8.30"
+##     "tunnel2_inside_cidr" = "169.254.8.28/30"
+##     "tunnel2_vgw_inside_address" = "169.254.8.29"
+##   }
+## 
+## 
+## output "vpn_tunnel_endpoints" {
+##   description = "VPN Tunnel Endpoint IP Addresses"
+##   value = { for k, v in local.vpn_settings : k => {
+##     site             = v.site
+##     environment      = v.environment
+##     sequence         = v.sequence
+##     label            = v.label
+##     full_label       = format("aws:%v:%v:%v:%v", local.region, local.account_id, aws_vpn_connection.vpn[k].id, v.label)
+##     customer_address = aws_customer_gateway.vpn[k].ip_address
+##     bgp_asn          = aws_customer_gateway.vpn[k].bgp_asn
+## 
+##     tunnel1_bgp_asn            = aws_vpn_connection.vpn[k].tunnel1_bgp_asn
+##     tunnel1_address            = aws_vpn_connection.vpn[k].tunnel1_address
+##     tunnel1_inside_cidr        = aws_vpn_connection.vpn[k].tunnel1_inside_cidr
+##     tunnel1_cgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_cgw_inside_address
+##     tunnel1_vgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_vgw_inside_address
+## 
+##     tunnel2_bgp_asn            = aws_vpn_connection.vpn[k].tunnel2_bgp_asn
+##     tunnel2_address            = aws_vpn_connection.vpn[k].tunnel2_address
+##     tunnel2_inside_cidr        = aws_vpn_connection.vpn[k].tunnel2_inside_cidr
+##     tunnel2_cgw_inside_address = aws_vpn_connection.vpn[k].tunnel2_cgw_inside_address
+##     tunnel2_vgw_inside_address = aws_vpn_connection.vpn[k].tunnel2_vgw_inside_address
+##     }
+##   }
+## }
+## 
+## output "vpn_labels" {
+##   description = "VPN Labels for Description field of Endpoint device (Cisco ASR)"
+##   value = { for k, v in local.vpn_settings : k => {
+##     site        = v.site
+##     environment = v.environment
+##     sequence    = v.sequence
+##     label       = format("aws:%v:%v:%v:%v", local.region, local.account_id, aws_vpn_connection.vpn[k].id, v.label)
+##     }
+##   }
+## }
+
+#        description:
+#        preshared_key:
+#        inside_cidr:
+#      # dest ip
+#        address:
+#      # bgp peer
+#        vgw_inside_address:
+#      # ip
+#        cgw_inside_address:
+#        bgp_asn:
+#
diff --git a/vpn-transit-gateway/vpn-config.tf b/vpn-transit-gateway/vpn-config.tf
new file mode 100644
index 0000000..df1059d
--- /dev/null
+++ b/vpn-transit-gateway/vpn-config.tf
@@ -0,0 +1,49 @@
+locals {
+  vpn_tunnel_outputs = { for k, v in local.vpn_settings : k => {
+    site              = v.site
+    environment       = v.environment
+    sequence          = v.sequence
+    label             = v.label
+    full_label        = format("aws:%v:%v:%v:%v", local.region, local.account_id, aws_vpn_connection.vpn[k].id, v.label)
+    customer_address  = aws_customer_gateway.vpn[k].ip_address
+    bgp_asn           = aws_customer_gateway.vpn[k].bgp_asn
+    vpn_connection_id = aws_vpn_connection.vpn[k].id
+
+    tunnel1_bgp_asn            = aws_vpn_connection.vpn[k].tunnel1_bgp_asn
+    tunnel1_address            = aws_vpn_connection.vpn[k].tunnel1_address
+    tunnel1_inside_cidr        = aws_vpn_connection.vpn[k].tunnel1_inside_cidr
+    tunnel1_cgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_cgw_inside_address
+    tunnel1_vgw_inside_address = aws_vpn_connection.vpn[k].tunnel1_vgw_inside_address
+
+    tunnel2_bgp_asn            = aws_vpn_connection.vpn[k].tunnel2_bgp_asn
+    tunnel2_address            = aws_vpn_connection.vpn[k].tunnel2_address
+    tunnel2_inside_cidr        = aws_vpn_connection.vpn[k].tunnel2_inside_cidr
+    tunnel2_cgw_inside_address = aws_vpn_connection.vpn[k].tunnel2_cgw_inside_address
+    tunnel2_vgw_inside_address = aws_vpn_connection.vpn[k].tunnel2_vgw_inside_address
+    }
+  }
+}
+
+resource "null_resource" "directory_setup" {
+  provisioner "local-exec" {
+    working_dir = path.root
+    command     = "test -d vpn-configs || ( mkdir vpn-configs; echo vpn-configs >> .gitignore )"
+  }
+}
+
+# https://aws.amazon.com/premiumsupport/knowledge-center/vpn-download-example-configuration-files/
+# id 48548f98 is cisco asr 1000 
+resource "null_resource" "generate_configs" {
+  for_each = var.create ? local.vpn_tunnel_outputs : {}
+  triggers = {
+    directory_setup = null_resource.directory_setup.id
+  }
+  provisioner "local-exec" {
+    working_dir = "${path.root}/vpn-configs"
+    command     = "aws ec2 get-vpn-connection-device-sample-configuration --vpn-connection-id ${each.value.vpn_connection_id} --vpn-connection-device-type-id 48548f98 --internet-key-exchange-version ikev1 --output text > ${each.value.label}.${each.value.vpn_connection_id}.txt"
+    environment = {
+      AWS_PROFILE = var.profile
+      AWS_REGION  = local.region
+    }
+  }
+}