Support for AWS Transit Gateway VPN connection

adosztal commented 4 years ago

SUMMARY

AWS allows creating VPN tunnels not only between a VGW and CGWs but a Transit Gateway (TGW) and CGWs. It would be nice if this connection type was was supported by Ansible too. Note: I already raised this in ansible/ansible#67526 but it was auto-closed after the repo migration.

ISSUE TYPE

Feature Idea

COMPONENT NAME

ec2_vpc_vpn

ADDITIONAL INFORMATION

The only difference is calling the AWS CreateVpnConnection API using "TransitGatewayId" instead of "VpnGatewayId".

The task could look like this:

- name: create a VPN connection
  ec2_vpc_vpn:
    state: present
    transit_gateway_id: tgw-XXXXXXXX
    customer_gateway_id: cgw-XXXXXXXX

Note: The output of ec2_vpc_vpn_info shows this key (line 17) after manually creating a tunnel:

ok: [localhost] => {
    "msg": {
        "category": "VPN", 
        "changed": false, 
        "customer_gateway_configuration": "<... large xml output ...>", 
        "customer_gateway_id": "cgw-xxxxxxxxxxxxxxxxx", 
        "failed": false, 
        "options": {
            "enable_acceleration": false, 
            "static_routes_only": false
        }, 
        "routes": [], 
        "state": "available", 
        "tags": {
            "name": "tgw_test_conn"
        }, 
        "transit_gateway_id": "tgw-xxxxxxxxxxxxxxxxx", 
        "type": "ipsec.1", 
        "vgw_telemetry": [
            {
                "accepted_route_count": 0, 
                "last_status_change": "2020-02-18T10:52:49+00:00", 
                "outside_ip_address": "x.x.x.x", 
                "status": "DOWN", 
                "status_message": "IPSEC IS DOWN"
            }, 
            {
                "accepted_route_count": 0, 
                "last_status_change": "2020-02-18T10:52:30+00:00", 
                "outside_ip_address": "x.x.x.x", 
                "status": "DOWN", 
                "status_message": "IPSEC IS DOWN"
            }
        ], 
        "vpn_connection_id": "vpn-xxxxxxxxxxxxxxxxx"
    }
}

I tried what happens if I replace vpn_gateway_id with transit_gateway_id (see ec2_transit_gateway_vpn.py.txt) and the connection was created. I guess it's too quick and dirty for a final solution but at least confirms that it works. :slightly_smiling_face:

Output:

ok: [localhost] => {
    "msg": {
        "category": "VPN", 
        "changed": true, 
        "customer_gateway_configuration": "xxxxxxxxxxxxxxxxx", 
        "customer_gateway_id": "cgw-xxxxxxxxxxxxxxxxx", 
        "failed": false, 
        "options": {
            "enable_acceleration": false, 
            "static_routes_only": false
        }, 
        "routes": [], 
        "state": "available", 
        "tags": {}, 
        "transit_gateway_id": "tgw-xxxxxxxxxxxxxxxxx", 
        "type": "ipsec.1", 
        "vgw_telemetry": [
            {
                "accepted_route_count": 0, 
                "last_status_change": "2020-02-19T08:08:22+00:00", 
                "outside_ip_address": "x.x.x.x", 
                "status": "DOWN", 
                "status_message": "IPSEC IS DOWN"
            }, 
            {
                "accepted_route_count": 0, 
                "last_status_change": "2020-02-19T08:07:55+00:00", 
                "outside_ip_address": "x.x.x.x", 
                "status": "DOWN", 
                "status_message": "IPSEC IS DOWN"
            }
        ], 
        "vpn_connection_id": "vpn-xxxxxxxxxxxxxxxxx"
    }
}