Почетна Преглед Помоћ
Пријавите се
bat9go
/
Ycsecurity
огледало од https://github.com/yandex-cloud/yc-solution-library-for-security
Прати 1
Волим 0
Креирај огранак 0
Датотеке Дискусије 0 Вики
Грана: fix-typos
Гране Ознаке
Ycsecurity
/
network-sec
/
vpn
/
remote.tf

remote.tf 3.1 KB
Пермалинк Историја Датотека

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130 
  1. resource "yandex_vpc_network" "remote-admin" {
    2. 

  2.   name = "remote-admin"
    3. 

  3. }
    4. 

  4. resource "yandex_vpc_route_table" "route-to-cloud" {
    5. 

  5.   name = "route-to-cloud"
    6. 

  6.   network_id = yandex_vpc_network.remote-admin.id
    7. 

  7. 

  8.   static_route {
    9. 

  9.     destination_prefix = "10.0.0.0/8"
    10. 

  10.     next_hop_address   = "192.168.0.5"
    11. 

  11.   }
    12. 

  12. }
    13. 

  13. 

  14. resource "yandex_vpc_subnet" "remote-a" {
    15. 

  15.   name           = "remote-a"
    16. 

  16.   zone           = "ru-central1-a"
    17. 

  17.   network_id     = yandex_vpc_network.remote-admin.id
    18. 

  18.   v4_cidr_blocks = ["192.168.0.0/24"]
    19. 

  19. 

  20. }
    21. 

  21. data "yandex_compute_image" "my_vpn" {
    22. 

  22.   family = "ipsec-instance-ubuntu"
    23. 

  23. }
    24. 

  24. 

  25. resource "yandex_vpc_security_group" "sg-remote" {
    26. 

  26.   name        = "sg-remote"
    27. 

  27.   description = "allows traffic in and out of tunnel and tunnel itself"
    28. 

  28.   network_id  = yandex_vpc_network.remote-admin.id
    29. 

  29. 

  30. 

  31. 

  32.   ingress {
    33. 

  33.     protocol       = "TCP"
    34. 

  34.     description    = "internal_net_ssh"
    35. 

  35.     v4_cidr_blocks = ["10.0.0.0/8", "192.168.0.0/24"]
    36. 

  36.     port           = 22
    37. 

  37.   }
    38. 

  38. 

  39.   ingress {
    40. 

  40.     protocol       = "ICMP"
    41. 

  41.     description    = "internal_icmp"
    42. 

  42.     v4_cidr_blocks = ["10.0.0.0/8", "192.168.0.0/24"]
    43. 

  43.   }
    44. 

  44. 

  45.   ingress {
    46. 

  46.   protocol          = "ANY"
    47. 

  47.   description       = "p2p"
    48. 

  48.   predefined_target = "self_security_group"
    49. 

  49. }
    50. 

  50. 

  51.   ingress {
    52. 

  52.     protocol       = "UDP"
    53. 

  53.     description    = "ipsec_peer_allow_4500"
    54. 

  54.     v4_cidr_blocks = formatlist("%s/32", [yandex_vpc_address.vpnaddr.external_ipv4_address.0.address])
    55. 

  55.     port      = 4500
    56. 

  56.   }
    57. 

  57. 

  58.   ingress {
    59. 

  59.     protocol       = "UDP"
    60. 

  60.     description    = "ipsec_peer_allow_500"
    61. 

  61.     v4_cidr_blocks = formatlist("%s/32", [yandex_vpc_address.vpnaddr.external_ipv4_address.0.address])
    62. 

  62.     port      = 500
    63. 

  63.   }
    64. 

  64. 

  65. 

  66.   ingress {
    67. 

  67.     protocol          = "TCP"
    68. 

  68.     description       = "p2p"
    69. 

  69.     v4_cidr_blocks = var.remote_whitelist_ip
    70. 

  70.     port              = "22"
    71. 

  71.   }
    72. 

  72. 

  73.   egress {
    74. 

  74.     protocol       = "ANY"
    75. 

  75.     description    = "egress_internet"
    76. 

  76.     v4_cidr_blocks = ["0.0.0.0/0"]
    77. 

  77.     from_port      = 0
    78. 

  78.     to_port        = 65535
    79. 

  79.   }
    80. 

  80. }
    81. 

  81. 

  82. data "template_file" "remote_init" {
    83. 

  83.   template = "${file("remote-init.tpl.yaml")}"
    84. 

  84.   vars =  {
    85. 

  85. 

  86.         ssh_key = "${file(var.public_key_path)}"
    87. 

  87.         vpn_addr = yandex_vpc_address.vpnaddr.external_ipv4_address.0.address
    88. 

  88.         remote_addr = yandex_vpc_address.remoteaddr.external_ipv4_address.0.address
    89. 

  89.         ipsec_pass = var.ipsec_password
    90. 

  90.     }
    91. 

  91. }
    92. 

  92. 

  93. resource "yandex_vpc_address" "remoteaddr" {
    94. 

  94.   name = "remoteaddr"
    95. 

  95. 

  96.   external_ipv4_address {
    97. 

  97.     zone_id = "ru-central1-a"
    98. 

  98.   }
    99. 

  99. }
    100. 

  100. resource "yandex_compute_instance" "remote-vpn" {
    101. 

  101.   zone        = "ru-central1-a"
    102. 

  102.   name        = "remote-vpn"
    103. 

  103.   hostname    = "remote-vpn"
    104. 

  104.   platform_id = "standard-v2"
    105. 

  105.   resources {
    106. 

  106.     cores  = 4
    107. 

  107.     memory = 8
    108. 

  108.   }
    109. 

  109.   boot_disk {
    110. 

  110.     initialize_params {
    111. 

  111.       image_id = data.yandex_compute_image.my_vpn.id
    112. 

  112.       type     = "network-ssd"
    113. 

  113.       size     = 26
    114. 

  114.     }
    115. 

  115.   }
    116. 

  116. 

  117.   network_interface {
    118. 

  118.     subnet_id  = yandex_vpc_subnet.remote-a.id
    119. 

  119.     ip_address = "192.168.0.5"
    120. 

  120.     nat = true
    121. 

  121.     nat_ip_address = yandex_vpc_address.remoteaddr.external_ipv4_address.0.address
    122. 

  122.     security_group_ids = [yandex_vpc_security_group.sg-remote.id]
    123. 

  123. }
    124. 

  124. 

  125. metadata = {
    126. 

  126.   user-data = "${data.template_file.remote_init.rendered}"
    127. 

  127.   serial-port-enable = 1
    128. 

  128. }
    129. 

  129. }
    130. 

  130.