search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.75k stars 9.11k forks source link

r/aws_vpn_connection: `tunnel1_cgw_inside_ipv6_address` & `tunnel1_vgw_inside_ipv6_address` #17998

Closed laptom closed 5 months ago

laptom commented 3 years ago

Hi Team,

We are deploying VPN tunnels towards AWS Transit GW (Ipv4 and IPv6) and base of AWS conf we are using OUTPUT to get some of the variables and then create conf base on it for remote router. We are able to extract variables (tunnel addressing details) for IPv4 but same for IPv6 are not available.

For IPv4 tunnels created with TF code I can retrive Ipv4 tunnel addressing like: "tunnel1_cgw_inside_address" = aws_vpn_connection.DEMO_IPv4.tunnel1_cgw_inside_address "tunnel1_vgw_inside_address" = aws_vpn_connection.DEMO_IPv4.tunnel1_vgw_inside_address

I hope it's something you can implement? something like:

"tunnel1_cgw_inside_address" = aws_vpn_connection.DEMO_IPv6.tunnel1_cgw_inside_address "tunnel1_vgw_inside_address" = aws_vpn_connection.DEMO_IPv6.tunnel1_vgw_inside_address

################ TF CODE ######################################
resource "aws_ec2_transit_gateway" "DEMO_TG" {
  description = "DEMO_TG"
  amazon_side_asn ="65000"
  tags = var.tags
}

resource "aws_customer_gateway" "LAB_DEMO" {
  bgp_asn    = 65123
  ip_address = "63.84.235.75"
  type       = "ipsec.1"
  tags = merge(
    var.tags,
    {
      Name = "LAB_DEMO_GW"
    },
  )
}

resource "aws_vpn_connection" "DEMO_IPv4" {
  transit_gateway_id  = aws_ec2_transit_gateway.DEMO_TG.id
  customer_gateway_id = aws_customer_gateway.LAB_DEMO.id
  type                = "ipsec.1"
  static_routes_only  = false
  tunnel1_ike_versions = ["ikev1"]
  tunnel2_ike_versions = ["ikev1"]
  tunnel1_phase1_dh_group_numbers = [19]
  tunnel2_phase1_dh_group_numbers = [19]
  tunnel1_phase1_encryption_algorithms = ["AES256"]
  tunnel2_phase1_encryption_algorithms = ["AES256"]
  tunnel1_phase1_integrity_algorithms = ["SHA2-256"]
  tunnel2_phase1_integrity_algorithms = ["SHA2-256"]
  tunnel1_phase2_dh_group_numbers = [19]
  tunnel2_phase2_dh_group_numbers = [19]
  tunnel1_phase1_lifetime_seconds = 28800
  tunnel2_phase1_lifetime_seconds = 28800
  tunnel1_phase2_encryption_algorithms = ["AES256"]
  tunnel2_phase2_encryption_algorithms = ["AES256"]
  tunnel1_phase2_integrity_algorithms = ["SHA2-256"]
  tunnel2_phase2_integrity_algorithms = ["SHA2-256"]
  tags = merge(
    var.tags,
    {
      Name = "LAB_Tunnel1_IPv4"
    },
  )
}

resource "aws_vpn_connection" "DEMO_IPv6" {
  transit_gateway_id  = aws_ec2_transit_gateway.DEMO_TG.id
  customer_gateway_id = aws_customer_gateway.LAB_DEMO.id
  type                = "ipsec.1"
  static_routes_only  = false
  tunnel_inside_ip_version = "ipv6"
  tunnel1_ike_versions = ["ikev1"]
  tunnel2_ike_versions = ["ikev1"]
  tunnel1_phase1_dh_group_numbers = [19]
  tunnel2_phase1_dh_group_numbers = [19]
  tunnel1_phase1_encryption_algorithms = ["AES256"]
  tunnel2_phase1_encryption_algorithms = ["AES256"]
  tunnel1_phase1_integrity_algorithms = ["SHA2-256"]
  tunnel2_phase1_integrity_algorithms = ["SHA2-256"]
  tunnel1_phase2_dh_group_numbers = [19]
  tunnel2_phase2_dh_group_numbers = [19]
  tunnel1_phase1_lifetime_seconds = 28800
  tunnel2_phase1_lifetime_seconds = 28800
  tunnel1_phase2_encryption_algorithms = ["AES256"]
  tunnel2_phase2_encryption_algorithms = ["AES256"]
  tunnel1_phase2_integrity_algorithms = ["SHA2-256"]
  tunnel2_phase2_integrity_algorithms = ["SHA2-256"]
  tags = merge(
    var.tags,
    {
      Name = "LAB_Tunnel1_IPv6"
    },
  )
  } 

  output "CG_I1P" {
  value = templatefile("Conf.tpl",
  {
   "tunnel1_preshared_key" = aws_vpn_connection.DEMO_IPv4.tunnel1_preshared_key
   "ip_address" = aws_customer_gateway.LAB_DEMO.ip_address
   "tunnel1_address" = aws_vpn_connection.DEMO_IPv4.tunnel1_address
   "tunnel1_cgw_inside_address" = aws_vpn_connection.DEMO_IPv4.tunnel1_cgw_inside_address
   "tunnel1_vgw_inside_address" = aws_vpn_connection.DEMO_IPv4.tunnel1_vgw_inside_address

  })
}
ewbankkit commented 3 years ago

Here's an example CustomerGatewayConfiguration XML document:

<?xml version="1.0" encoding="UTF-8"?>
<vpn_connection id="vpn-09f52119b40664ba7">
   <customer_gateway_id>cgw-0772974805f81a8e8</customer_gateway_id>
   <vpn_gateway_id />
   <vpn_connection_type>ipsec.1</vpn_connection_type>
   <ipsec_tunnel>
      <customer_gateway>
         <tunnel_outside_address>
            <ip_address>178.0.0.1</ip_address>
         </tunnel_outside_address>
         <tunnel_inside_address>
            <ip_address>169.254.45.98</ip_address>
            <network_mask>255.255.255.252</network_mask>
            <network_cidr>30</network_cidr>
         </tunnel_inside_address>
         <tunnel_inside_ipv6_address>
            <ip_address>fd00:2001:db8:2:2d1:81ff:fe41:d202</ip_address>
            <prefix_length>128</prefix_length>
         </tunnel_inside_ipv6_address>
         <bgp>
            <asn>65530</asn>
            <hold_time>30</hold_time>
         </bgp>
      </customer_gateway>
      <vpn_gateway>
         <tunnel_outside_address>
            <ip_address>34.208.157.248</ip_address>
         </tunnel_outside_address>
         <tunnel_inside_address>
            <ip_address>169.254.45.97</ip_address>
            <network_mask>255.255.255.252</network_mask>
            <network_cidr>30</network_cidr>
         </tunnel_inside_address>
         <tunnel_inside_ipv6_address>
            <ip_address>fd00:2001:db8:2:2d1:81ff:fe41:d201</ip_address>
            <prefix_length>128</prefix_length>
         </tunnel_inside_ipv6_address>
         <bgp>
            <asn>64512</asn>
            <hold_time>30</hold_time>
         </bgp>
      </vpn_gateway>
      <ike>
         <authentication_protocol>sha1</authentication_protocol>
         <encryption_protocol>aes-128-cbc</encryption_protocol>
         <lifetime>28800</lifetime>
         <perfect_forward_secrecy>group2</perfect_forward_secrecy>
         <mode>main</mode>
         <pre_shared_key>XOahDXx1hVNyMTXoBnTgDY_F.fLjymEx</pre_shared_key>
      </ike>
      <ipsec>
         <protocol>esp</protocol>
         <authentication_protocol>hmac-sha1-96</authentication_protocol>
         <encryption_protocol>aes-128-cbc</encryption_protocol>
         <lifetime>3600</lifetime>
         <perfect_forward_secrecy>group2</perfect_forward_secrecy>
         <mode>tunnel</mode>
         <clear_df_bit>true</clear_df_bit>
         <fragmentation_before_encryption>true</fragmentation_before_encryption>
         <tcp_mss_adjustment>1379</tcp_mss_adjustment>
         <dead_peer_detection>
            <interval>10</interval>
            <retries>3</retries>
         </dead_peer_detection>
      </ipsec>
   </ipsec_tunnel>
   <ipsec_tunnel>
      <customer_gateway>
         <tunnel_outside_address>
            <ip_address>178.0.0.1</ip_address>
         </tunnel_outside_address>
         <tunnel_inside_address>
            <ip_address>169.254.72.22</ip_address>
            <network_mask>255.255.255.252</network_mask>
            <network_cidr>30</network_cidr>
         </tunnel_inside_address>
         <tunnel_inside_ipv6_address>
            <ip_address>fd00:2001:db8:2:2d1:81ff:fe41:d206</ip_address>
            <prefix_length>128</prefix_length>
         </tunnel_inside_ipv6_address>
         <bgp>
            <asn>65530</asn>
            <hold_time>30</hold_time>
         </bgp>
      </customer_gateway>
      <vpn_gateway>
         <tunnel_outside_address>
            <ip_address>54.191.70.45</ip_address>
         </tunnel_outside_address>
         <tunnel_inside_address>
            <ip_address>169.254.72.21</ip_address>
            <network_mask>255.255.255.252</network_mask>
            <network_cidr>30</network_cidr>
         </tunnel_inside_address>
         <tunnel_inside_ipv6_address>
            <ip_address>fd00:2001:db8:2:2d1:81ff:fe41:d205</ip_address>
            <prefix_length>128</prefix_length>
         </tunnel_inside_ipv6_address>
         <bgp>
            <asn>64512</asn>
            <hold_time>30</hold_time>
         </bgp>
      </vpn_gateway>
      <ike>
         <authentication_protocol>sha1</authentication_protocol>
         <encryption_protocol>aes-128-cbc</encryption_protocol>
         <lifetime>28800</lifetime>
         <perfect_forward_secrecy>group2</perfect_forward_secrecy>
         <mode>main</mode>
         <pre_shared_key>MtQoL5ZDf8Y_FbkHxIZQQuVm7ES0Hcbi</pre_shared_key>
      </ike>
      <ipsec>
         <protocol>esp</protocol>
         <authentication_protocol>hmac-sha1-96</authentication_protocol>
         <encryption_protocol>aes-128-cbc</encryption_protocol>
         <lifetime>3600</lifetime>
         <perfect_forward_secrecy>group2</perfect_forward_secrecy>
         <mode>tunnel</mode>
         <clear_df_bit>true</clear_df_bit>
         <fragmentation_before_encryption>true</fragmentation_before_encryption>
         <tcp_mss_adjustment>1379</tcp_mss_adjustment>
         <dead_peer_detection>
            <interval>10</interval>
            <retries>3</retries>
         </dead_peer_detection>
      </ipsec>
   </ipsec_tunnel>
</vpn_connection>
laptom commented 3 years ago

Hi Team,

The thing is the IPv4 tunnel addressing is exposed in an easy way to consume. We can easily call tunnel1_cgw_inside_address or tunnel1_vgw_inside_address to get tunnel addressing.

To get the same for IPv6 XML needs to be parsed. Is there any chance to have consistent access to addresses for IPv4 and IPv6 like for IPv4?

tunnel1_cgw_inside_address = "169.254.202.198" tunnel1_vgw_inside_address = "169.254.202.197”

Otherwise, can you share some examples how easily those variables can be extracted from XLM code.

Thanks in advance.

Regards, Tomasz

Forthcoming unavailability: N/A

Tomasz Lapa Accenture Technology CCS Strategy & Governance Accenture | Intelligent Cloud and Infrastructure | Infrastructure Services for Accenture Warsaw, PL @.D71584.74238430]Mobile +48 664 788 224 @*.**@*.***>

From: Kit Ewbank @.> Sent: wtorek, 9 marca 2021 20:28 To: hashicorp/terraform-provider-aws @.> Cc: Lapa, Tomasz @.>; Author @.> Subject: [External] Re: [hashicorp/terraform-provider-aws] AWS transit Gateway, Ipv6 (#17998)

This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments.

Here's an example CustomerGatewayConfiguration XML document:

<?xml version="1.0" encoding="UTF-8"?>

cgw-0772974805f81a8e8 ipsec.1 178.0.0.1 169.254.45.98 255.255.255.252 30 fd00:2001:db8:2:2d1:81ff:fe41:d202 128 65530 30 34.208.157.248 169.254.45.97 255.255.255.252 30 fd00:2001:db8:2:2d1:81ff:fe41:d201 128 64512 30 sha1 aes-128-cbc 28800 group2 main XOahDXx1hVNyMTXoBnTgDY_F.fLjymEx esp hmac-sha1-96 aes-128-cbc 3600 group2 tunnel true true 1379 10 3 178.0.0.1 169.254.72.22 255.255.255.252 30 fd00:2001:db8:2:2d1:81ff:fe41:d206 128 65530 30 54.191.70.45 169.254.72.21 255.255.255.252 30 fd00:2001:db8:2:2d1:81ff:fe41:d205 128 64512 30 sha1 aes-128-cbc 28800 group2 main MtQoL5ZDf8Y_FbkHxIZQQuVm7ES0Hcbi esp hmac-sha1-96 aes-128-cbc 3600 group2 tunnel true true 1379 10 3 — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe. ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. ______________________________________________________________________________________ www.accenture.com
github-actions[bot] commented 6 months ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

github-actions[bot] commented 4 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.