professional-service/examples/vpn-usecases/stackit-stackit/030-stackit-stackit-vpn.tf
Mauritz Uphoff 20dd7ec314
All checks were successful
Default CI / Check for Open TODOs (pull_request) Successful in 43s
Default CI / Secret Scanner (TruffleHog) (pull_request) Successful in 1m7s
Default CI / Pre-Commit Hooks (pull_request) Successful in 2m30s
example(vpn): remove my mail
2026-05-13 13:53:46 +02:00

255 lines
7.1 KiB
HCL

# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
module "vpn_sna_01" {
source = "../module/stackit-sna-with-debug-machine"
machine_availability_zone = "eu01-1"
machine_ipv4_prefix = "10.10.10.0/24"
machine_network_name = "vpn-sna-01"
sna_name = "vpn-sna-01"
machine_name = "vpn-sna-01"
stackit_admin_email = var.stackit_admin_email
stackit_org_id = var.stackit_org_id
stackit_project_name = "vpn-sna-01"
sna_network_range_prefix = [
"10.10.0.0/16"
]
}
module "vpn_sna_02" {
source = "../module/stackit-sna-with-debug-machine"
machine_availability_zone = "eu01-2"
machine_ipv4_prefix = "10.11.11.0/24"
machine_network_name = "vpn-sna-02"
machine_name = "vpn-sna-02"
sna_name = "vpn-sna-02"
stackit_admin_email = var.stackit_admin_email
stackit_org_id = var.stackit_org_id
stackit_project_name = "vpn-sna-02"
sna_network_range_prefix = [
"10.11.0.0/16"
]
}
# Gateway 1 (vpn-sna-01)
resource "restful_resource" "vpn_01_gateway" {
provider = restful.stackit
path = "/v1/projects/${module.vpn_sna_01.project_id}/regions/eu01/gateways"
body = {
availabilityZones = {
tunnel1 = "eu01-1"
tunnel2 = "eu01-2"
}
bgp = {
localAsn = 64512
overrideAdvertisedRoutes = ["10.10.0.0/16"]
}
displayName = "vpn01"
labels = null
planId = "p500"
routingType = "BGP_ROUTE_BASED"
}
read_path = "$(path)/$(body.id)"
update_path = "$(path)/$(body.id)"
update_method = "PUT"
delete_path = "$(path)/$(body.id)"
delete_method = "DELETE"
}
data "restful_resource" "vpn_01_gateway_status" {
provider = restful.stackit
id = "${restful_resource.vpn_01_gateway.id}/status"
}
# Gateway 2 (vpn-sna-02)
resource "restful_resource" "vpn_02_gateway" {
provider = restful.stackit
path = "/v1/projects/${module.vpn_sna_02.project_id}/regions/eu01/gateways"
body = {
availabilityZones = {
tunnel1 = "eu01-1"
tunnel2 = "eu01-2"
}
bgp = {
localAsn = 64513
overrideAdvertisedRoutes = ["10.11.0.0/16"]
}
displayName = "vpn02"
labels = null
planId = "p500"
routingType = "BGP_ROUTE_BASED"
}
read_path = "$(path)/$(body.id)"
update_path = "$(path)/$(body.id)"
update_method = "PUT"
delete_path = "$(path)/$(body.id)"
delete_method = "DELETE"
}
data "restful_resource" "vpn_02_gateway_status" {
provider = restful.stackit
id = "${restful_resource.vpn_02_gateway.id}/status"
}
# Shared VPN Credentials
resource "random_password" "vpn_psk" {
length = 32
special = false
}
# Connection from Gateway 1 to Gateway 2
resource "restful_resource" "vpn_01_connection" {
provider = restful.stackit
path = "${restful_resource.vpn_01_gateway.id}/connections"
body = {
displayName = "conn-to-vpn02"
tunnel1 = {
bgp = {
remoteAsn = 64513
}
peering = {
localAddress = "169.254.0.1"
remoteAddress = "169.254.0.2"
}
phase1 = {
dhGroups = ["modp2048"]
encryptionAlgorithms = ["aes256gcm16"]
integrityAlgorithms = ["sha2_256"]
}
phase2 = {
dhGroups = ["modp2048"]
encryptionAlgorithms = ["aes256gcm16"]
integrityAlgorithms = ["sha2_256"]
}
preSharedKey = random_password.vpn_psk.result
remoteAddress = data.restful_resource.vpn_02_gateway_status.output.tunnels[0].publicIP
}
tunnel2 = {
bgp = {
remoteAsn = 64513
}
peering = {
localAddress = "169.254.1.1"
remoteAddress = "169.254.1.2"
}
phase1 = {
dhGroups = ["modp2048"]
encryptionAlgorithms = ["aes256gcm16"]
integrityAlgorithms = ["sha2_256"]
}
phase2 = {
dhGroups = ["modp2048"]
encryptionAlgorithms = ["aes256gcm16"]
integrityAlgorithms = ["sha2_256"]
}
preSharedKey = random_password.vpn_psk.result
remoteAddress = data.restful_resource.vpn_02_gateway_status.output.tunnels[1].publicIP
}
}
lifecycle {
ignore_changes = [
body.tunnel1.preSharedKey,
body.tunnel2.preSharedKey
]
}
read_path = "$(path)/$(body.id)"
update_path = "$(path)/$(body.id)"
update_method = "PUT"
delete_path = "$(path)/$(body.id)"
delete_method = "DELETE"
}
# Connection from Gateway 2 to Gateway 1
resource "restful_resource" "vpn_02_connection" {
provider = restful.stackit
path = "${restful_resource.vpn_02_gateway.id}/connections"
body = {
displayName = "conn-to-vpn01"
tunnel1 = {
bgp = {
remoteAsn = 64512
}
peering = {
localAddress = "169.254.0.2"
remoteAddress = "169.254.0.1"
}
phase1 = {
dhGroups = ["modp2048"]
encryptionAlgorithms = ["aes256gcm16"]
integrityAlgorithms = ["sha2_256"]
}
phase2 = {
dhGroups = ["modp2048"]
encryptionAlgorithms = ["aes256gcm16"]
integrityAlgorithms = ["sha2_256"]
}
preSharedKey = random_password.vpn_psk.result
remoteAddress = data.restful_resource.vpn_01_gateway_status.output.tunnels[0].publicIP
}
tunnel2 = {
bgp = {
remoteAsn = 64512
}
peering = {
localAddress = "169.254.1.2"
remoteAddress = "169.254.1.1"
}
phase1 = {
dhGroups = ["modp2048"]
encryptionAlgorithms = ["aes256gcm16"]
integrityAlgorithms = ["sha2_256"]
}
phase2 = {
dhGroups = ["modp2048"]
encryptionAlgorithms = ["aes256gcm16"]
integrityAlgorithms = ["sha2_256"]
}
preSharedKey = random_password.vpn_psk.result
remoteAddress = data.restful_resource.vpn_01_gateway_status.output.tunnels[1].publicIP
}
}
read_path = "$(path)/$(body.id)"
update_path = "$(path)/$(body.id)"
update_method = "PUT"
delete_path = "$(path)/$(body.id)"
delete_method = "DELETE"
lifecycle {
ignore_changes = [
body.tunnel1.preSharedKey,
body.tunnel2.preSharedKey
]
}
}
output "vpn01_public_ip" {
value = module.vpn_sna_01.machine_public_ip
}
output "vpn01_private_ip" {
value = module.vpn_sna_01.machine_private_ipv4
}
output "vpn02_public_ip" {
value = module.vpn_sna_02.machine_public_ip
}
output "vpn02_private_ip" {
value = module.vpn_sna_02.machine_private_ipv4
}