scale-with-simplicity/modules/ipsec-gateway/main.tf at main · digitalocean/scale-with-simplicity · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
locals {
  setup_vpn_script          = file("${path.module}/setup-vpn.sh")
  setup_vpn_script_indented = join("\n", [for line in split("\n", local.setup_vpn_script) : "      ${line}"])
}


resource "digitalocean_droplet" "vpn_gateway" {
  image      = var.image
  name       = var.name
  size       = var.size
  monitoring = var.monitoring
  ssh_keys   = var.ssh_keys
  region     = var.region
  vpc_uuid   = var.vpc_id
  tags       = var.tags
  user_data = templatefile("${path.module}/cloud-init-template.yaml", {
    vpn_psk              = var.vpn_psk
    vpn_tunnel_cidr      = var.vpn_tunnel_cidr_bits
    do_vpn_public_ip     = var.do_vpn_public_ip
    do_vpn_tunnel_ip     = var.do_vpn_tunnel_ip
    remote_vpn_public_ip = var.remote_vpn_public_ip
    remote_vpn_tunnel_ip = var.remote_vpn_tunnel_ip
    remote_vpn_cidr      = var.remote_vpn_cidr
    setup_vpn_script     = local.setup_vpn_script_indented
  })
}

resource "digitalocean_reserved_ip_assignment" "reserved_ip_assignment" {
  ip_address = var.do_vpn_public_ip
  droplet_id = digitalocean_droplet.vpn_gateway.id
}

resource "digitalocean_firewall" "vpn_fw" {
  name        = var.name
  droplet_ids = [digitalocean_droplet.vpn_gateway.id]
  inbound_rule {
    protocol         = "tcp"
    port_range       = "1-65535"
    source_addresses = var.allowed_firewall_cidrs
  }
  inbound_rule {
    protocol         = "udp"
    port_range       = "1-65535"
    source_addresses = var.allowed_firewall_cidrs
  }
  inbound_rule {
    protocol         = "icmp"
    source_addresses = var.allowed_firewall_cidrs
  }
  inbound_rule {
    protocol         = "udp"
    port_range       = "1-65535"
    source_addresses = [var.remote_vpn_public_ip]
  }
  outbound_rule {
    protocol              = "tcp"
    port_range            = "1-65535"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }
  outbound_rule {
    protocol              = "udp"
    port_range            = "1-65535"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }
  outbound_rule {
    protocol              = "icmp"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }
}