-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
296 additions
and
70 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
locals { | ||
|
||
azure_region_names = { | ||
"East US" = "eastUS" | ||
"East US 2" = "eastUS2" | ||
"West US" = "westUS" | ||
"West US 2" = "westUS2" | ||
"West US 3" = "westUS3" | ||
"Central US" = "centralUS" | ||
"North Central US" = "northCentralUS" | ||
"South Central US" = "southCentralUS" | ||
"West Central US" = "westCentralUS" | ||
"North Europe" = "northEurope" | ||
"West Europe" = "westEurope" | ||
"France Central" = "franceCentral" | ||
"Germany West Central" = "germanyWestCentral" | ||
"Switzerland North" = "switzerlandNorth" | ||
"UK South" = "ukSouth" | ||
"Canada East" = "canadaEast" | ||
"Canada Central" = "canadaCentral" | ||
"South Africa West" = "southAfricaWest" | ||
"South Africa North" = "southAfricaNorth" | ||
"UAE North" = "uaeNorth" | ||
"Australia East" = "australiaEast" | ||
"Central India" = "centralIndia" | ||
"Southeast Asia" = "southEastAsia" | ||
"Sweden Central" = "swedenCentral" | ||
"South India" = "southIndia" | ||
"Australia Southeast" = "australiaSouthEast" | ||
"Korea Central" = "koreaCentral" | ||
"Poland Central" = "polandCentral" | ||
"Brazil South" = "brazilSouth" | ||
"Japan East" = "japanEast" | ||
"Japan West" = "japanWest" | ||
"Korea South" = "koreaSouth" | ||
"Italy North" = "italyNorth" | ||
"France South" = "franceSouth" | ||
"Israel Central" = "israelCentral" | ||
"East Asia" = "eastAsia" | ||
"Central US EUAP" = "centralUSEUAP" | ||
"East US 2 EUAP" = "eastUS2EUAP" | ||
"West India" = "westIndia" | ||
"Germany North" = "germanyNorth" | ||
"Norway East" = "norwayEast" | ||
"Norway West" = "norwayWest" | ||
"UAE Central" = "uaeCentral" | ||
"Brazil Southeast" = "brazilSoutheast" | ||
"Qatar Central" = "qatarCentral" | ||
"China North" = "chinaNorth" | ||
"China East" = "chinaEast" | ||
"China North 2" = "chinaNorth2" | ||
"China East 2" = "chinaEast2" | ||
"Germany Central" = "germanyCentral" | ||
"Germany Northeast" = "germanyNortheast" | ||
"India South" = "indiaSouth" | ||
"US DoD East" = "usDoDEast" | ||
"US DoD Central" = "usDoDCentral" | ||
"US Gov Virginia" = "usGovVirginia" | ||
"US Gov Iowa" = "usGovIowa" | ||
"US Gov Arizona" = "usGovArizona" | ||
"US Gov Texas" = "usGovTexas" | ||
} | ||
|
||
profiles = [for i in var.sse_forwarding_profiles : | ||
one([for profile in jsondecode(data.http.forwarding_profiles.response_body).value : { id = lookup(profile, "id", null) } if profile.trafficForwardingType == i]) | ||
] | ||
|
||
bearer_token = jsondecode(data.http.azure_bearer_token.response_body).access_token | ||
sse_endpoint_config = jsondecode(data.http.device_config.response_body) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,109 @@ | ||
#Obtain Azure API bearer token | ||
data "http" "azure_bearer_token" { | ||
url = "https://login.microsoftonline.com/${var.azure_tenant_id}/oauth2/token" | ||
method = "POST" | ||
|
||
request_headers = { | ||
Accept = "application/x-www-form-urlencoded" | ||
} | ||
|
||
request_body = format("grant_type=client_credentials&client_id=%s&client_secret=%s&resource=https://graph.microsoft.com/", var.azure_client_id, var.azure_client_secret) | ||
} | ||
|
||
#Fetch forwarding profiles | ||
data "http" "forwarding_profiles" { | ||
url = "https://graph.microsoft.com/beta/networkAccess/forwardingProfiles" | ||
request_headers = { | ||
Authorization = "Bearer ${local.bearer_token}" | ||
Accept = "application/json" | ||
} | ||
} | ||
|
||
#Create random PSK | ||
resource "random_password" "psk" { | ||
length = 16 | ||
special = true | ||
override_special = "!#$%&*()-_=+[]{}<>:?" | ||
} | ||
|
||
#Create remote network | ||
resource "restapi_object" "remote_network" { | ||
provider = restapi | ||
path = "/" | ||
data = jsonencode({ | ||
name = format("Aviatrix SSE Hub - %s", var.transit_gateway.vpc_reg) | ||
region = "centralUS" #Hardcoded for beta | ||
# region = lookup(local.azure_region_names, var.transit_gateway.vpc_reg) | ||
forwardingProfiles = local.profiles | ||
devicelinks = [ | ||
{ | ||
name = "AVX-Transit" | ||
ipAddress = var.transit_gateway.public_ip | ||
bandwidthCapacityInMbps = format("mbps%s", var.sse_bandwidth) | ||
deviceVendor = "other" | ||
bgpConfiguration = { | ||
localIpAddress = cidrhost(var.tunnel_subnets[0], 1) | ||
peerIpAddress = cidrhost(var.tunnel_subnets[0], 2) | ||
asn = var.transit_gateway.local_as_number | ||
} | ||
redundancyConfiguration = { | ||
zoneLocalIpAddress = null | ||
redundancyTier = "noRedundancy" | ||
} | ||
tunnelConfiguration = { | ||
"@odata.type" = "#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Custom" | ||
preSharedKey = random_password.psk.result | ||
zoneRedundancyPreSharedKey = null | ||
saLifeTimeSeconds = 300 | ||
ipSecEncryption = "none" | ||
ipSecIntegrity = "sha256" | ||
ikeEncryption = "aes128" | ||
ikeIntegrity = "sha256" | ||
dhGroup = "dhGroup14" | ||
pfsGroup = "pfs14" | ||
} | ||
} | ||
] | ||
}) | ||
} | ||
|
||
data "http" "device_config" { | ||
url = "https://graph.microsoft.com/beta/networkAccess/connectivity/remoteNetworks/${restapi_object.remote_network.id}/connectivityConfiguration" | ||
request_headers = { | ||
Authorization = "Bearer ${local.bearer_token}" | ||
Accept = "application/json" | ||
} | ||
depends_on = [time_sleep.wait_for_sse_endpoint] | ||
} | ||
|
||
resource "time_sleep" "wait_for_sse_endpoint" { | ||
depends_on = [restapi_object.remote_network] | ||
create_duration = "90s" | ||
} | ||
|
||
output "test" { | ||
value = local.profiles | ||
} | ||
|
||
resource "aviatrix_transit_external_device_conn" "sse_connection" { | ||
vpc_id = var.transit_gateway.vpc_id | ||
connection_name = format("avx-sse-%s", lower(replace(var.transit_gateway.vpc_reg, " ", "-"))) | ||
gw_name = var.transit_gateway.gw_name | ||
remote_gateway_ip = local.sse_endpoint_config["links"][0]["localConfigurations"][0]["endpoint"] | ||
connection_type = "bgp" | ||
bgp_local_as_num = var.transit_gateway.local_as_number | ||
bgp_remote_as_num = local.sse_endpoint_config["links"][0]["localConfigurations"][0]["asn"] | ||
ha_enabled = false | ||
local_tunnel_cidr = format("%s/30", cidrhost(var.tunnel_subnets[0], 2)) | ||
remote_tunnel_cidr = format("%s/30", cidrhost(var.tunnel_subnets[0], 1)) | ||
custom_algorithms = true | ||
pre_shared_key = random_password.psk.result | ||
phase_1_authentication = "SHA-256" | ||
phase_2_authentication = "HMAC-SHA-256" | ||
phase_1_dh_groups = "14" | ||
phase_2_dh_groups = "14" | ||
phase_1_encryption = "AES-128-CBC" | ||
phase_2_encryption = "NULL-ENCR" | ||
phase1_local_identifier = null | ||
enable_ikev2 = true | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
provider "restapi" { | ||
uri = "https://graph.microsoft.com/beta/networkAccess/connectivity/remoteNetworks" | ||
write_returns_object = true | ||
debug = true | ||
|
||
headers = { | ||
Authorization = "Bearer ${local.bearer_token}" | ||
Content-Type = "application/json" | ||
} | ||
|
||
create_method = "POST" | ||
update_method = "PUT" | ||
destroy_method = "DELETE" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
variable "azure_tenant_id" { | ||
description = "Azure Tenant ID" | ||
} | ||
|
||
variable "azure_client_id" { | ||
description = "Azure Client ID" | ||
} | ||
|
||
variable "azure_client_secret" { | ||
description = "Azure Client Secret" | ||
} | ||
|
||
variable "sse_forwarding_profiles" { | ||
description = "List of the desired forwarding profiles" | ||
default = ["m365"] | ||
|
||
validation { | ||
condition = alltrue([for i in var.sse_forwarding_profiles : contains(["m365", ], i)]) #Add "internet" to the list once that is supported. | ||
error_message = "Currently only m365 is supported." | ||
} | ||
} | ||
|
||
variable "sse_bandwidth" { | ||
description = "The desired bandwidth in Mbps." | ||
default = 250 | ||
|
||
validation { | ||
condition = contains([250, 500, 750, 1000], tonumber(var.sse_bandwidth)) | ||
error_message = "The sse_bandwidth variable must be one of the following values: 250, 500, 750, or 1000." | ||
} | ||
} | ||
|
||
variable "tunnel_subnets" { | ||
default = [ | ||
"169.254.0.0/30", | ||
"169.254.0.4/30", | ||
] | ||
} | ||
|
||
variable "transit_gateway" { | ||
description = "The Aviatix transit gateway object" | ||
|
||
#Check that transit gatway is passed as the complete object. | ||
validation { | ||
condition = alltrue([for key in ["id", "vpc_id", "account_name"] : contains(keys(var.transit_gateway), key)]) | ||
error_message = "It looks like you did not provide the entire Aviatrix transit gateway object." | ||
} | ||
|
||
#Check that transit gatway has an AS number configured. | ||
validation { | ||
condition = var.transit_gateway.local_as_number != "" | ||
error_message = "The Aviatrix transit gateway must have a local_as_number configured." | ||
} | ||
} |
Oops, something went wrong.