In my last few posts (located here and here) I’ve talked about setting up a IPSec VPN between on-premise devices and VMware Cloud Director, specifically to IBM Cloud VMware as a Service. I’ve also written about starting to use Terraform as part of your deployment, located here.
The question is – can we combine the two? Of course we can!
The code below, also located on my Github at https://github.com/mlnelson-ibm/tf-vmaas-1/blob/main/vpn.tf will setup the VMware Cloud Director side of the environment.
data "vcd_resource_list" "list_of_edges" {
name = "list_of_edges"
resource_type = "vcd_nsxt_edgegateway"
list_mode = "name"
vdc = var.vcd_vdc
}
data "vcd_nsxt_edgegateway" "t1" {
name = data.vcd_resource_list.list_of_edges.list[0]
}
resource "vcd_nsxt_ipsec_vpn_tunnel" "tunnel1" {
edge_gateway_id = data.vcd_nsxt_edgegateway.t1.id
name = "First"
description = "testing tunnel"
pre_shared_key = "thisisasecret"
# Primary IP address of Edge Gateway pulled from data source
local_ip_address = tolist(data.vcd_nsxt_edgegateway.t1.subnet)[0].primary_ip
local_networks = ["192.168.100.0/24"]
# This is a fake remote IP address
remote_ip_address = "169.46.39.226"
remote_networks = ["10.176.68.64/26"]
security_profile_customization {
ike_version = "IKE_V2"
ike_encryption_algorithms = ["AES_256"]
ike_digest_algorithms = ["SHA2_256"]
ike_dh_groups = ["GROUP14"]
ike_sa_lifetime = 28800
tunnel_pfs_enabled = true
tunnel_df_policy = "COPY"
tunnel_encryption_algorithms = ["AES_256"]
tunnel_digest_algorithms = ["SHA2_256"]
tunnel_dh_groups = ["GROUP14"]
tunnel_sa_lifetime = 3600
dpd_probe_internal = "30"
}
}So to explain what is going on here:
data "vcd_resource_list" "list_of_edges" {
name = "list_of_edges"
resource_type = "vcd_nsxt_edgegateway"
list_mode = "name"
vdc = var.vcd_vdc
}This code block is using the name of your virtual data centers and creating a list of edge gateways. As a data block it is just reading in information, not performing any action.
data "vcd_nsxt_edgegateway" "t1" {
name = data.vcd_resource_list.list_of_edges.list[0]
}Now we are using the list of edge gateways we generated in the first code block and using that to create a second data source, this time all the information about the first edge gateway found. Since the majority of environments will have a single edge gateway we can get away with this – otherwise we would have to select or match against some value.
resource "vcd_nsxt_ipsec_vpn_tunnel" "tunnel1" {
edge_gateway_id = data.vcd_nsxt_edgegateway.t1.id
name = "First"
description = "testing tunnel"
pre_shared_key = "thisisasecret"
# Primary IP address of Edge Gateway pulled from data source
local_ip_address = tolist(data.vcd_nsxt_edgegateway.t1.subnet)[0].primary_ip
local_networks = ["192.168.100.0/24"]
# This is a fake remote IP address
remote_ip_address = "169.46.39.226"
remote_networks = ["10.176.68.64/26"]
security_profile_customization {
ike_version = "IKE_V2"
ike_encryption_algorithms = ["AES_256"]
ike_digest_algorithms = ["SHA2_256"]
ike_dh_groups = ["GROUP14"]
ike_sa_lifetime = 28800
tunnel_pfs_enabled = true
tunnel_df_policy = "COPY"
tunnel_encryption_algorithms = ["AES_256"]
tunnel_digest_algorithms = ["SHA2_256"]
tunnel_dh_groups = ["GROUP14"]
tunnel_sa_lifetime = 3600
dpd_probe_internal = "30"
}
}This last block is actually creating the VPN. Most of the values should be straight forward if you have worked with VPNs in the past. If you want to see the full range of values available visit https://registry.terraform.io/providers/vmware/vcd/latest/docs/resources/nsxt_ipsec_vpn_tunnel which lists all of the possible arguments.
And that is it. If we say added a new remote subnet we would simply need to update the remote_networks value and re-apply the plan.
Virtual Musings 
Leave a comment