google_compute_vpn_tunnel

Manages a VPN Tunnel to the GCE network. For more info, read the documentation.

Note: All arguments including the shared_secret will be stored in the raw state as plain-text. Read more about sensitive data in state.

Example Usage

resource "google_compute_network" "network1" {
  name = "network1"
}

resource "google_compute_subnetwork" "subnet1" {
  name          = "subnet1"
  network       = "${google_compute_network.network1.self_link}"
  ip_cidr_range = "10.120.0.0/16"
  region        = "us-central1"
}

resource "google_compute_vpn_gateway" "target_gateway" {
  name    = "vpn1"
  network = "${google_compute_network.network1.self_link}"
  region  = "${google_compute_subnetwork.subnet1.region}"
}

resource "google_compute_address" "vpn_static_ip" {
  name   = "vpn-static-ip"
  region = "${google_compute_subnetwork.subnet1.region}"
}

resource "google_compute_forwarding_rule" "fr_esp" {
  name        = "fr-esp"
  ip_protocol = "ESP"
  ip_address  = "${google_compute_address.vpn_static_ip.address}"
  target      = "${google_compute_vpn_gateway.target_gateway.self_link}"
}

resource "google_compute_forwarding_rule" "fr_udp500" {
  name        = "fr-udp500"
  ip_protocol = "UDP"
  port_range  = "500-500"
  ip_address  = "${google_compute_address.vpn_static_ip.address}"
  target      = "${google_compute_vpn_gateway.target_gateway.self_link}"
}

resource "google_compute_forwarding_rule" "fr_udp4500" {
  name        = "fr-udp4500"
  ip_protocol = "UDP"
  port_range  = "4500-4500"
  ip_address  = "${google_compute_address.vpn_static_ip.address}"
  target      = "${google_compute_vpn_gateway.target_gateway.self_link}"
}

resource "google_compute_vpn_tunnel" "tunnel1" {
  name          = "tunnel1"
  peer_ip       = "15.0.0.120"
  shared_secret = "a secret message"

  target_vpn_gateway = "${google_compute_vpn_gateway.target_gateway.self_link}"

  local_traffic_selector  = ["${google_compute_subnetwork.subnet1.ip_cidr_range}"]
  remote_traffic_selector = ["172.16.0.0/12"]

  depends_on = [
    "google_compute_forwarding_rule.fr_esp",
    "google_compute_forwarding_rule.fr_udp500",
    "google_compute_forwarding_rule.fr_udp4500",
  ]
}

resource "google_compute_route" "route1" {
  name       = "route1"
  network    = "${google_compute_network.network1.name}"
  dest_range = "15.0.0.0/24"
  priority   = 1000

  next_hop_vpn_tunnel = "${google_compute_vpn_tunnel.tunnel1.self_link}"
}

Argument Reference

The following arguments are supported:

• name - (Required) A unique name for the resource, required by GCE. Changing this forces a new resource to be created.

• peer_ip - (Required) The VPN gateway sitting outside of GCE. Changing this forces a new resource to be created.

• shared_secret - (Required) A passphrase shared between the two VPN gateways. Changing this forces a new resource to be created.

• target_vpn_gateway - (Required) A link to the VPN gateway sitting inside GCE. Changing this forces a new resource to be created.

• description - (Optional) A description of the resource. Changing this forces a new resource to be created.

• ike_version - (Optional) Either version 1 or 2. Default is 2. Changing this forces a new resource to be created.

• local_traffic_selector - (Optional) Specifies which CIDR ranges are announced to the VPN peer. Mandatory if the VPN gateway is attached to a custom subnetted network. Refer to Google documentation for more information.

• remote_traffic_selector - (Optional) Specifies which CIDR ranges the VPN tunnel can route to the remote side. Mandatory if the VPN gateway is attached to a custom subnetted network. Refer to Google documentation for more information.

• router - (Optional) Name of a Cloud Router in the same region to be used for dynamic routing. Refer to Google documentation for more information.

• project - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

• region - (Optional) The region this tunnel should sit in. If not specified, the project region will be used. Changing this forces a new resource to be created.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

• detailed_status - Information about the status of the VPN tunnel.

• self_link - The URI of the created resource.