updated vpnaas example to use DUS and HAM / updated terraform to use …

…os provider version3

vpnaas/main.tf

@@ -1,108 +1,85 @@
+# Provider configuration
+
+provider "openstack" {
+  region = "dus2"
+  alias  = "dus2"
+}
+
+provider "openstack" {
+  region = "ham1"
+  alias  = "ham1"
+}
+
 # IPsec IKEv1 PSK
 variable "ipsec_psk" {
   type    = string
   default = "super_secret"
 }
 
-# Public key to access example instances
-variable "ssh_publickey" {
-  type        = string
+# Public key to access instances
+variable "public_key" {
+  type    = string
   description = "ssh-rsa public key in authorized_keys format (ssh-rsa AAAAB3Nz [...] ABAAACAC62Lw== user@host)"
   # default = "ssh-rsa AAAAB3Nz [...] ABAAACAC62Lw== user@host"
 }
 
-# Region configuration
-provider "openstack" {
-  region = "dbl"
-  alias  = "dbl"
-}
-
-provider "openstack" {
-  region = "cbk"
-  alias  = "cbk"
-}
-
-# Deploy infrastructure to CBK
-module "network_cbk" {
-  source = "./modules/network"
-  region = "cbk"
-  cidr   = "10.100.1.0/24"
+# Deploy infrastructure to ham1
+module "network_ham1" {
+  source      = "./modules/network"
+  region      = "ham1"
+  cidr        = "10.100.1.0/24"
+  remote_cidr = "10.100.2.0/24"
 }
 
-module "application_cbk" {
-  source     = "./modules/simple-app"
-  region     = "cbk"
-  public_key = var.ssh_publickey
+module "application_ham1" {
+  source         = "./modules/application"
+  app_depends_on = [module.network_ham1.subnet]
+  region         = "ham1"
+  public_key     = var.public_key
+  port_id        = module.network_ham1.instance_port_id
 }
 
-# Deploy infrastructure to DBL
-module "network_dbl" {
-  source = "./modules/network"
-  region = "dbl"
-  cidr   = "10.100.2.0/24"
+# Deploy infrastructure to dus2
+module "network_dus2" {
+  source      = "./modules/network"
+  region      = "dus2"
+  cidr        = "10.100.2.0/24"
+  remote_cidr = "10.100.1.0/24"
 }
 
-module "application_dbl" {
-  source     = "./modules/simple-app"
-  region     = "dbl"
-  public_key = var.ssh_publickey
+module "application_dus2" {
+  source         = "./modules/application"
+  app_depends_on = [module.network_dus2.subnet]
+  region         = "dus2"
+  public_key     = var.public_key
+  port_id        = module.network_dus2.instance_port_id
 }
 
 # VPN Site-to-Site connections
-resource "openstack_vpnaas_site_connection_v2" "cbk_to_dbl" {
-  name              = "CBK to DBL"
-  provider          = openstack.cbk
-  vpnservice_id     = module.network_cbk.vpnservice_id
-  ikepolicy_id      = module.network_cbk.ikepolicy_id
-  ipsecpolicy_id    = module.network_cbk.ipsecpolicy_id
-  peer_id           = module.network_dbl.peer_id
-  peer_address      = module.network_dbl.peer_id
+resource "openstack_vpnaas_site_connection_v2" "ham1_to_dus2" {
+  name              = "ham1 to dus2"
+  provider          = openstack.ham1
+  vpnservice_id     = module.network_ham1.vpnservice_id
+  ikepolicy_id      = module.network_ham1.ikepolicy_id
+  ipsecpolicy_id    = module.network_ham1.ipsecpolicy_id
+  peer_id           = module.network_dus2.peer_id
+  peer_address      = module.network_dus2.peer_id
   psk               = var.ipsec_psk
-  local_ep_group_id = module.network_cbk.local_endpoint_group_id
-  peer_ep_group_id  = openstack_vpnaas_endpoint_group_v2.peer_dbl.id
-  admin_state_up    = "true"
-  dpd {
-    action   = "hold"
-    timeout  = 120
-    interval = 30
-  }
+  local_ep_group_id = module.network_ham1.ep_subnet_endpoint_group_id
+  peer_ep_group_id  = module.network_ham1.ep_cidr_endpoint_group_id
+  admin_state_up = "true"
 }
 
-resource "openstack_vpnaas_endpoint_group_v2" "peer_dbl" {
-  provider  = openstack.cbk
-  name      = "DBL peer"
-  type      = "cidr"
-  endpoints = [module.network_dbl.cidr]
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "openstack_vpnaas_site_connection_v2" "dbl_to_cbk" {
-  name              = "DBL to CBK"
-  provider          = openstack.dbl
-  vpnservice_id     = module.network_dbl.vpnservice_id
-  ikepolicy_id      = module.network_dbl.ikepolicy_id
-  ipsecpolicy_id    = module.network_dbl.ipsecpolicy_id
-  peer_id           = module.network_cbk.peer_id
-  peer_address      = module.network_cbk.peer_id
+resource "openstack_vpnaas_site_connection_v2" "dus2_to_ham1" {
+  name              = "dus2 to ham1"
+  provider          = openstack.dus2
+  vpnservice_id     = module.network_dus2.vpnservice_id
+  ikepolicy_id      = module.network_dus2.ikepolicy_id
+  ipsecpolicy_id    = module.network_dus2.ipsecpolicy_id
+  peer_id           = module.network_ham1.peer_id
+  peer_address      = module.network_ham1.peer_id
   psk               = var.ipsec_psk
-  local_ep_group_id = module.network_dbl.local_endpoint_group_id
-  peer_ep_group_id  = openstack_vpnaas_endpoint_group_v2.peer_cbk.id
-  admin_state_up    = "true"
-  dpd {
-    action   = "hold"
-    timeout  = 120
-    interval = 30
-  }
-}
-
-resource "openstack_vpnaas_endpoint_group_v2" "peer_cbk" {
-  provider  = openstack.dbl
-  name      = "CBK peer"
-  type      = "cidr"
-  endpoints = [module.network_cbk.cidr]
-  lifecycle {
-    create_before_destroy = true
-  }
+  local_ep_group_id = module.network_dus2.ep_subnet_endpoint_group_id
+  peer_ep_group_id  = module.network_dus2.ep_cidr_endpoint_group_id
+  admin_state_up = "true"
 }

vpnaas/modules/application/main.tf

@@ -0,0 +1,74 @@
+# Prvider Configuration
+provider "openstack" {
+  region = var.region
+}
+
+data "openstack_networking_network_v2" "ext_net" {
+  name = "ext-net"
+}
+
+# Select latest Openstack Ubuntu Image
+data "openstack_images_image_v2" "image" {
+  most_recent = true
+
+  visibility = "public"
+  properties = {
+    os_distro  = "ubuntu"
+    os_version = "24.04"
+  }
+}
+
+# Create SSH Key
+resource "openstack_compute_keypair_v2" "application" {
+  name       = var.name
+  public_key = var.public_key
+}
+
+# Create Security Group and Rules for SSH access and ICMP (ping)
+resource "openstack_networking_secgroup_v2" "application_secgroup" {
+  name        = "unicorn_secgroup"
+  description = "Security group for ssh and icmp access"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "ssh_rule" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 22
+  port_range_max    = 22
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = openstack_networking_secgroup_v2.application_secgroup.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "icmp_rule" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "icmp"
+  port_range_min    = 0
+  port_range_max    = 0
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = openstack_networking_secgroup_v2.application_secgroup.id
+}
+
+# Create VM instance with a floating IP
+resource "openstack_compute_instance_v2" "application" {
+  depends_on  = [var.app_depends_on]
+  name        = var.name
+  image_name  = var.image_name != null ? var.image_name : data.openstack_images_image_v2.image.name
+  flavor_name = var.flavor
+  key_pair    = openstack_compute_keypair_v2.application.name
+  security_groups = ["unicorn_secgroup","default"]
+
+  network {
+    name = var.network
+  }
+}
+
+resource "openstack_networking_floatingip_v2" "application" {
+  pool = data.openstack_networking_network_v2.ext_net.name
+}
+
+resource "openstack_networking_floatingip_associate_v2" "application" {
+  floating_ip = openstack_networking_floatingip_v2.application.address
+  port_id     = var.port_id
+}

vpnaas/modules/application/variables.tf

@@ -0,0 +1,37 @@
+variable "region" {
+  type = string
+}
+
+variable "name" {
+  type    = string
+  default = "unicorn"
+}
+
+variable "image_name" {
+  type        = string
+  description = "Openstack image node"
+  default     = null
+}
+
+variable "network" {
+  type    = string
+  default = "unicorn"
+}
+
+variable "public_key" {
+  type = string
+}
+
+variable "flavor" {
+  type = string
+  default = "m2.tiny"
+}
+
+variable "port_id" {
+  type = string
+}
+
+variable "app_depends_on" {
+  type    = any
+    default = null
+}

vpnaas/modules/simple-app/versions.tf → vpnaas/modules/application/versions.tf

@@ -4,5 +4,4 @@ terraform {
       source = "terraform-provider-openstack/openstack"
     }
   }
-  required_version = ">= 0.13"
 }

vpnaas/modules/network/network.tf → vpnaas/modules/network/main.tf

@@ -1,3 +1,4 @@
+# Provider Configuration
 provider "openstack" {
   region = var.region
 }
@@ -6,6 +7,7 @@ data "openstack_networking_network_v2" "ext_net" {
   name = "ext-net"
 }
 
+# Create Network and Subnet
 resource "openstack_networking_network_v2" "network" {
   name           = var.name
   admin_state_up = "true"
@@ -16,12 +18,24 @@ resource "openstack_networking_subnet_v2" "network" {
   network_id      = openstack_networking_network_v2.network.id
   cidr            = var.cidr
   ip_version      = 4
-  dns_nameservers = ["37.123.105.116", "37.123.105.117"]
+  dns_nameservers = ["8.8.8.8", "8.8.4.4"]
 }
 
+# Create Network Port for instance
+resource "openstack_networking_port_v2" "network" {
+  name               = var.name
+  admin_state_up     = "true"
+  network_id         = openstack_networking_network_v2.network.id
+
+  fixed_ip {
+    subnet_id = openstack_networking_subnet_v2.network.id
+  }
+}
+
+# Create Network Router
 resource "openstack_networking_router_v2" "network" {
   name                = var.name
-  admin_state_up      = true
+  admin_state_up      = "true"
   external_network_id = data.openstack_networking_network_v2.ext_net.id
 }
 
@@ -30,6 +44,7 @@ resource "openstack_networking_router_interface_v2" "network" {
   subnet_id = openstack_networking_subnet_v2.network.id
 }
 
+# Create VPN IKE Policy
 resource "openstack_vpnaas_ike_policy_v2" "network" {
   name                 = var.name
   ike_version          = "v2"
@@ -38,49 +53,37 @@ resource "openstack_vpnaas_ike_policy_v2" "network" {
   pfs                  = "group14"
 }
 
+# Create VPN IPSEC Policy
 resource "openstack_vpnaas_ipsec_policy_v2" "network" {
   name                 = var.name
   auth_algorithm       = "sha256"
   encryption_algorithm = "aes-256"
   pfs                  = "group14"
 }
 
+# Create VPN Service
 resource "openstack_vpnaas_service_v2" "network" {
   depends_on     = [openstack_networking_router_interface_v2.network]
   name           = var.name
   router_id      = openstack_networking_router_v2.network.id
   admin_state_up = "true"
 }
 
-resource "openstack_vpnaas_endpoint_group_v2" "local" {
-  name      = "${var.name} local"
+# Create VPN Endpoints
+resource "openstack_vpnaas_endpoint_group_v2" "ep_subnet" {
+  name      = "${var.name}-ep-subnet"
   type      = "subnet"
   endpoints = [openstack_networking_subnet_v2.network.id]
   lifecycle {
     create_before_destroy = true
   }
 }
 
-output "vpnservice_id" {
-  value = openstack_vpnaas_service_v2.network.id
-}
-
-output "ikepolicy_id" {
-  value = openstack_vpnaas_ike_policy_v2.network.id
-}
-
-output "ipsecpolicy_id" {
-  value = openstack_vpnaas_ipsec_policy_v2.network.id
-}
-
-output "peer_id" {
-  value = openstack_vpnaas_service_v2.network.external_v4_ip
-}
-
-output "cidr" {
-  value = var.cidr
-}
-
-output "local_endpoint_group_id" {
-  value = openstack_vpnaas_endpoint_group_v2.local.id
+resource "openstack_vpnaas_endpoint_group_v2" "ep_cidr" {
+  name      = "${var.name}-ep-cidr"
+  type      = "cidr"
+  endpoints = [var.remote_cidr]
+  lifecycle {
+    create_before_destroy = true
+  }
 }