Startseite Erkunden Hilfe
Anmelden
bat9go
/
Ycsecurity
Mirror von https://github.com/yandex-cloud/yc-solution-library-for-security
Beobachten 1
Favorit hinzufügen 0
Fork 0
Dateien Issues 0 Wiki
Struktur: b4fd5ef18a
Branches Tags
Ycsecurity
/
network-sec
/
ipsec-sgw
/
vpc.tf

vpc.tf 4.1 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151 
  1. # =============
    2. 

  2. # VPC Resources
    3. 

  3. # =============
    4. 

  4. 

  5. # Define SGW Network
    6. 

  6. data "yandex_vpc_network" "yc_net" {
    7. 

  7.   folder_id = data.yandex_resourcemanager_folder.sgw_folder.id
    8. 

  8.   name      = var.yc_subnets.net_name
    9. 

  9. }
    10. 

  10. 

  11. # Create SGW Subnet
    12. 

  12. resource "yandex_vpc_subnet" "sgw_subnet" {
    13. 

  13.   folder_id      = data.yandex_resourcemanager_folder.sgw_folder.id
    14. 

  14.   name           = "${var.yc_sgw.name}-subnet"
    15. 

  15.   description    = "YC IPsec Security gateway subnet"
    16. 

  16.   v4_cidr_blocks = [var.yc_sgw.subnet]
    17. 

  17.   zone           = var.yc_sgw.zone
    18. 

  18.   network_id     = data.yandex_vpc_network.yc_net.id
    19. 

  19.   labels         = var.labels
    20. 

  20. }
    21. 

  21. 

  22. # Reserve a static IP for the SGW instance
    23. 

  23. resource "yandex_vpc_address" "sgw_public_ip" {
    24. 

  24.   folder_id = data.yandex_resourcemanager_folder.sgw_folder.id
    25. 

  25.   name      = var.yc_sgw.name
    26. 

  26.   external_ipv4_address {
    27. 

  27.     zone_id = var.yc_sgw.zone
    28. 

  28.   }
    29. 

  29.   labels = var.labels
    30. 

  30. }
    31. 

  31. 

  32. # Create Security Group for SGW
    33. 

  33. resource "yandex_vpc_security_group" "sgw_sg" {
    34. 

  34.   folder_id   = data.yandex_resourcemanager_folder.sgw_folder.id
    35. 

  35.   name        = "${lower(var.yc_sgw.name)}-sg"
    36. 

  36.   description = "IPsec SGW VM"
    37. 

  37.   network_id  = data.yandex_vpc_network.yc_net.id
    38. 

  38.   labels      = var.labels
    39. 

  39. 

  40.   ingress {
    41. 

  41.     description    = "icmp"
    42. 

  42.     protocol       = "ICMP"
    43. 

  43.     v4_cidr_blocks = ["0.0.0.0/0"]
    44. 

  44.   }
    45. 

  45. 

  46.   ingress {
    47. 

  47.     description    = "ssh"
    48. 

  48.     protocol       = "TCP"
    49. 

  49.     port           = 22
    50. 

  50.     v4_cidr_blocks = ["0.0.0.0/0"]
    51. 

  51.   }
    52. 

  52. 

  53.   ingress {
    54. 

  54.     description    = "http"
    55. 

  55.     protocol       = "TCP"
    56. 

  56.     port           = "8000"
    57. 

  57.     v4_cidr_blocks = ["0.0.0.0/0"]
    58. 

  58.   }
    59. 

  59. 

  60.   ingress {
    61. 

  61.     description    = "ipsec"
    62. 

  62.     protocol       = "UDP"
    63. 

  63.     port           = "500"
    64. 

  64.     v4_cidr_blocks = ["${var.remote_sgw.outside_ip}/32"]
    65. 

  65.   }
    66. 

  66. 

  67.   ingress {
    68. 

  68.     description    = "ipsec"
    69. 

  69.     protocol       = "UDP"
    70. 

  70.     port           = "4500"
    71. 

  71.     v4_cidr_blocks = ["${var.remote_sgw.outside_ip}/32"]
    72. 

  72.   }
    73. 

  73. 

  74.   egress {
    75. 

  75.     description    = "Permit ANY"
    76. 

  76.     protocol       = "ANY"
    77. 

  77.     v4_cidr_blocks = ["0.0.0.0/0"]
    78. 

  78.   }
    79. 

  79. }
    80. 

  80. 

  81. 

  82. # Get All Subnets inside of specified Network/VPC
    83. 

  83. data "yandex_vpc_subnet" "yc_sub_all" {
    84. 

  84.   folder_id = var.folder_id
    85. 

  85.   for_each  = toset(data.yandex_vpc_network.yc_net.subnet_ids)
    86. 

  86.   subnet_id = each.value
    87. 

  87. }
    88. 

  88. 

  89. locals {
    90. 

  90.   single_list = ["one-value"]
    91. 

  91. 

  92.   # Filter Subnets by var.remote_subnets list
    93. 

  93.   sub_list = tolist(var.yc_subnets.prefix_list)
    94. 

  94.   subnet_list = flatten([
    95. 

  95.     for sub_id in data.yandex_vpc_network.yc_net.subnet_ids : {
    96. 

  96.       id     = sub_id
    97. 

  97.       prefix = data.yandex_vpc_subnet.yc_sub_all[sub_id].v4_cidr_blocks[0]
    98. 

  98.     } if contains(local.sub_list, data.yandex_vpc_subnet.yc_sub_all[sub_id].v4_cidr_blocks[0])
    99. 

  99.   ])
    100. 

  100. 

  101.   # generate yc CLI strings for apply RT to subnets
    102. 

  102.   yc_rt_cmd = "ids=\"${join(" ", flatten([
    103. 

  103.     for sub in local.subnet_list : ["${sub.id}"]
    104. 

  104.   ]))}\"; for id in $ids ; do yc vpc subnet update $id --route-table-name=${lower(var.yc_sgw.name)}-rt ; done"
    105. 

  105. 

  106. }
    107. 

  107. 

  108. # Create Route table for route traffic to the remote subnets via SGW
    109. 

  109. resource "yandex_vpc_route_table" "sgw_rt" {
    110. 

  110.   folder_id  = data.yandex_resourcemanager_folder.sgw_folder.id
    111. 

  111.   name       = "${lower(var.yc_sgw.name)}-rt"
    112. 

  112.   network_id = data.yandex_vpc_network.yc_net.id
    113. 

  113. 

  114.   dynamic "static_route" {
    115. 

  115.     for_each = var.remote_subnets == null ? [] : var.remote_subnets
    116. 

  116.     content {
    117. 

  117.       destination_prefix = static_route.value
    118. 

  118.       next_hop_address   = var.yc_sgw.inside_ip
    119. 

  119.     }
    120. 

  120.   }
    121. 

  121. 

  122.   dynamic "static_route" {
    123. 

  123.     for_each = [for el in local.single_list : el
    124. 

  124.     if var.yc_subnets.rt_internet_access == true]
    125. 

  125.     content {
    126. 

  126.       destination_prefix = "0.0.0.0/0"
    127. 

  127.       gateway_id         = yandex_vpc_gateway.egress_gw[0].id
    128. 

  128.     }
    129. 

  129.   }
    130. 

  130. 

  131. }
    132. 

  132. 

  133. # If yc_subnets.rt_internet_access = true, Gateway should be created
    134. 

  134. resource "yandex_vpc_gateway" "egress_gw" {
    135. 

  135.   count     = var.yc_subnets.rt_internet_access ? 1 : 0
    136. 

  136.   folder_id = var.folder_id
    137. 

  137.   name      = "${data.yandex_vpc_network.yc_net.name}-egw"
    138. 

  138.   shared_egress_gateway {}
    139. 

  139. }
    140. 

  140. 

  141. # If yc_subnets.force_subnets_update = true, perform subnets update with yc
    142. 

  142. resource "null_resource" "yc_subnets_update" {
    143. 

  143.   count = var.yc_subnets.force_subnets_update ? 1 : 0
    144. 

  144.   provisioner "local-exec" {
    145. 

  145.     command = local.yc_rt_cmd
    146. 

  146.   }
    147. 

  147.   depends_on = [
    148. 

  148.     yandex_vpc_route_table.sgw_rt
    149. 

  149.   ]
    150. 

  150. }
    151. 

  151.