initial commit (#1)

* initial commit

Author: cdaniluk

.github/workflows/check.yml

@@ -0,0 +1,20 @@
+name: format_and_lint
+on: [push, pull_request]
+
+jobs:
+  build:
+    runs-on: macOS-latest
+    steps:
+    - uses: actions/checkout@v1
+
+    - name: Install prereq
+      run: |
+        brew install docker tfenv tflint
+        tfenv install
+
+    - name: tf fmt
+      run: |
+        terraform fmt
+    - name: tflint
+      run: |
+        tflint

.terraform-version

@@ -0,0 +1 @@
+0.12.23

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Rhythmic Technologies, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,47 @@
+# terraform-aws-fortigate-vpn
+[![GH Action Status](https://github.com/rhythmictech/terraform-aws-fortigate-vpn/workflows/check/badge.svg)](https://github.com/rhythmictech/terraform-aws-fortigate-vpn/actions)
+Creates a site-to-site VPN connection intended to terminate to a FortiGate firewall. Creates a template configuration file that can be used to easily configure the connection.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| account\_name | Name for AWS account side of tunnel | string | n/a | yes |
+| customer\_bgp\_asn | BGP for customer side of tunnel | number | n/a | yes |
+| customer\_gateway\_type | Type for customer gateway | string | `"ipsec.1"` | no |
+| customer\_ip\_address | IP address for customer side | string | n/a | yes |
+| customer\_name | Name for customer side of tunnel | string | n/a | yes |
+| generate\_fortigate\_config | Generate a FortiGate config template \(does not include PSKs\) | bool | `"true"` | no |
+| tags | Tags to add to supported resources | string | n/a | yes |
+| transit\_gateway\_id | Transit gateway to attach VPN to \(required if `vpn\_gateway\_id` not set\) | string | `"null"` | no |
+| tunnel1\_inside\_cidr | Specify a Tunnel 1 inside CIDR \(optional\) | string | `""` | no |
+| tunnel1\_psk | Specify a Tunnel 1 PSK explicitly \(optional\) | string | `""` | no |
+| tunnel1\_psk\_version | Version to use for PSK \(increment to generate a new PSK\) | number | `"1"` | no |
+| tunnel2\_inside\_cidr | Specify a Tunnel 2 inside CIDR \(optional\) | string | `""` | no |
+| tunnel2\_psk | Specify a Tunnel 2 PSK explicitly \(optional\) | string | `""` | no |
+| tunnel2\_psk\_version | Version to use for PSK \(increment to generate a new PSK\) | number | `"1"` | no |
+| use\_secrets\_manager | Use Secrets Manager to store/manage PSKs | bool | `"true"` | no |
+| vgw\_id | Virtual Private Gateway to attach VPN to \(required if `transit\_gateway\_id` not set\) | string | `"null"` | no |
+| wan\_interface | WAN interface to use in fortigate config template | string | `"wan1"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| customer\_gateway\_bgp\_asn | Customer Gateway BGP ASN |
+| customer\_gateway\_id | Customer Gateway ID |
+| customer\_gateway\_ip\_address | Customer Gateway IP Address |
+| vpn\_connection\_tunnel1\_address | Tunnel 1 Public IP Address |
+| vpn\_connection\_tunnel1\_bgp\_asn | Tunnel 1 BGP ASN |
+| vpn\_connection\_tunnel1\_cgw\_inside\_address | Tunnel 1 Customer Inside IP Address |
+| vpn\_connection\_tunnel1\_preshared\_key | Tunnel 1 Preshared Key |
+| vpn\_connection\_tunnel1\_vgw\_inside\_address | Tunnel 1 AWS Inside IP Address |
+| vpn\_connection\_tunnel2\_address | Tunnel 2 Public IP Address |
+| vpn\_connection\_tunnel2\_bgp\_asn | Tunnel 2 BGP ASN |
+| vpn\_connection\_tunnel2\_cgw\_inside\_address | Tunnel 2 Customer Inside IP Address |
+| vpn\_connection\_tunnel2\_preshared\_key | Tunnel 2 Preshared Key |
+| vpn\_connection\_tunnel2\_vgw\_inside\_address | Tunnel 2 AWS Inside IP Address |
+| vpn\_connection\_vpn\_gw\_id | VPN Gateway ID |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

fortigate_config.txt.tpl

@@ -0,0 +1,95 @@
+config vpn ipsec phase1-interface
+ edit "${shortname}1"
+  set interface "${wan_interface}"
+  set dpd enable
+  set local-gw ${customer_ip_address}
+  set dhgrp 2
+  set proposal aes128-sha1
+  set keylife 28800
+  set remote-gw ${tunnel1_address}
+  set psksecret PSK1
+  set dpd-retryinterval 10
+  set comments "${account_name}<->${customer_name}1"
+ next
+end
+
+config vpn ipsec phase2-interface
+ edit "${shortname}1"
+  set phase1name "${shortname}1"
+  set proposal aes128-sha1
+  set dhgrp 2
+  set pfs enable
+  set keylifeseconds 3600
+ next
+end
+
+config system interface
+ edit "${shortname}1"
+  set vdom "root"
+  set ip ${tunnel1_inside_address_customer} 255.255.255.255
+  set allowaccess ping
+  set type tunnel
+  set tcp-mss 1379
+  set remote-ip ${tunnel1_inside_address_amazon} 255.255.255.255
+  set comments "${account_name}<->${customer_name}1"
+  set interface "${wan_interface}"
+ next
+end
+
+config router bgp
+  config neighbor
+    edit ${tunnel1_inside_address_amazon}
+      set capability-graceful-restart enable
+      set soft-reconfiguration enable
+      set remote-as ${amazon_bgp_asn}
+    next
+  end
+end
+
+config vpn ipsec phase1-interface
+edit "${shortname}2"
+  set interface "${wan_interface}"
+  set dpd enable
+  set local-gw ${customer_ip_address}
+  set dhgrp 2
+  set proposal aes128-sha1
+  set keylife 28800
+  set remote-gw ${tunnel2_address}
+  set psksecret PSK2
+  set dpd-retryinterval 10
+  set comments "${account_name}<->${customer_name}2"
+ next
+end
+
+config vpn ipsec phase2-interface
+ edit "${shortname}2"
+  set phase1name "${shortname}2"
+  set proposal aes128-sha1
+  set dhgrp 2
+  set pfs enable
+  set keylifeseconds 3600
+ next
+end
+
+config system interface
+ edit "${shortname}2"
+  set vdom "root"
+  set ip ${tunnel2_inside_address_customer} 255.255.255.255
+  set allowaccess ping
+  set type tunnel
+  set tcp-mss 1379
+  set remote-ip ${tunnel2_inside_address_amazon} 255.255.255.255
+  set interface "${wan_interface}"
+  set description "${account_name}<->${customer_name}2"
+ next
+end
+
+config router bgp
+  config neighbor
+    edit ${tunnel2_inside_address_amazon}
+      set capability-graceful-restart enable
+      set soft-reconfiguration enable
+      set remote-as ${amazon_bgp_asn}
+    next
+  end
+end

main.tf

@@ -0,0 +1,85 @@
+data "aws_vpn_gateway" "this" {
+  id = var.vgw_id
+}
+
+data "aws_ec2_transit_gateway" "this" {
+  id = var.transit_gateway_id
+}
+
+module "psk1" {
+  source           = "git::https://github.com/rhythmictech/terraform-aws-secretsmanager-random-secret?ref=v1.1.1"
+  name             = "${var.account_name}/${var.customer_name}-psk1-secret"
+  create_secret    = var.use_secrets_manager
+  length           = 40
+  min_special      = 3
+  override_special = "._"
+  pass_version     = var.tunnel1_psk_version
+  use_special      = true
+  tags             = var.tags
+}
+
+module "psk2" {
+  source           = "git::https://github.com/rhythmictech/terraform-aws-secretsmanager-random-secret?ref=v1.1.1"
+  name             = "${var.account_name}/${var.customer_name}-psk2-secret"
+  create_secret    = var.use_secrets_manager
+  length           = 40
+  min_special      = 3
+  override_special = "._"
+  pass_version     = var.tunnel2_psk_version
+  tags             = var.tags
+  use_special      = true
+}
+
+locals {
+
+  tags_with_name = merge(var.tags, {
+    "Name" = "${var.account_name}<=>${var.customer_name}"
+    }
+  )
+  tunnel1_psk = var.use_secrets_manager ? module.psk1.secret : var.tunnel1_psk
+  tunnel2_psk = var.use_secrets_manager ? module.psk2.secret : var.tunnel2_psk
+
+  # compute aws bgp asn
+  amazon_bgp_asn = var.vgw_id == null ? data.aws_ec2_transit_gateway.this.amazon_side_asn : data.aws_vpn_gateway.this.amazon_side_asn
+}
+
+resource "aws_customer_gateway" "this" {
+  bgp_asn    = var.customer_bgp_asn
+  ip_address = var.customer_ip_address
+  tags       = local.tags_with_name
+  type       = var.customer_gateway_type
+}
+
+resource "aws_vpn_connection" "this" {
+  customer_gateway_id   = aws_customer_gateway.this.id
+  tags                  = local.tags_with_name
+  transit_gateway_id    = var.transit_gateway_id
+  tunnel1_inside_cidr   = var.tunnel1_inside_cidr
+  tunnel1_preshared_key = local.tunnel1_psk
+  tunnel2_inside_cidr   = var.tunnel2_inside_cidr
+  tunnel2_preshared_key = local.tunnel2_psk
+  type                  = aws_customer_gateway.this.type
+  vpn_gateway_id        = var.vgw_id
+}
+
+resource "local_file" "this" {
+  count = var.generate_fortigate_config ? 1 : 0
+  content = templatefile("${path.module}/fortigate_config.txt.tpl",
+    {
+      account_name                    = var.account_name
+      amazon_bgp_asn                  = local.amazon_bgp_asn
+      customer_bgp_asn                = var.customer_bgp_asn
+      customer_ip_address             = var.customer_ip_address
+      customer_name                   = var.customer_name
+      shortname                       = substr(var.account_name, 0, 14)
+      tunnel1_address                 = aws_vpn_connection.this.tunnel1_address
+      tunnel1_inside_address_amazon   = aws_vpn_connection.this.tunnel1_vgw_inside_address
+      tunnel1_inside_address_customer = aws_vpn_connection.this.tunnel1_cgw_inside_address
+      tunnel2_address                 = aws_vpn_connection.this.tunnel2_address
+      tunnel2_inside_address_amazon   = aws_vpn_connection.this.tunnel2_vgw_inside_address
+      tunnel2_inside_address_customer = aws_vpn_connection.this.tunnel2_cgw_inside_address
+      wan_interface                   = var.wan_interface
+    }
+  )
+  filename = "${var.account_name}-${var.customer_name}-fortigate_config.txt"
+}

outputs.tf

@@ -0,0 +1,68 @@
+output "customer_gateway_bgp_asn" {
+  description = "Customer Gateway BGP ASN"
+  value       = aws_customer_gateway.this.bgp_asn
+}
+
+output "customer_gateway_id" {
+  description = "Customer Gateway ID"
+  value       = aws_customer_gateway.this.id
+}
+
+output "customer_gateway_ip_address" {
+  description = "Customer Gateway IP Address"
+  value       = aws_customer_gateway.this.ip_address
+}
+
+output "vpn_connection_tunnel1_address" {
+  description = "Tunnel 1 Public IP Address"
+  value       = aws_vpn_connection.this.tunnel1_address
+}
+
+output "vpn_connection_tunnel1_bgp_asn" {
+  description = "Tunnel 1 BGP ASN"
+  value       = aws_vpn_connection.this.tunnel1_bgp_asn
+}
+output "vpn_connection_tunnel1_cgw_inside_address" {
+  description = "Tunnel 1 Customer Inside IP Address"
+  value       = aws_vpn_connection.this.tunnel1_cgw_inside_address
+}
+
+output "vpn_connection_tunnel1_preshared_key" {
+  description = "Tunnel 1 Preshared Key"
+  value       = aws_vpn_connection.this.tunnel1_preshared_key
+}
+
+output "vpn_connection_tunnel1_vgw_inside_address" {
+  description = "Tunnel 1 AWS Inside IP Address"
+  value       = aws_vpn_connection.this.tunnel1_vgw_inside_address
+}
+
+output "vpn_connection_tunnel2_address" {
+  description = "Tunnel 2 Public IP Address"
+  value       = aws_vpn_connection.this.tunnel2_address
+}
+
+output "vpn_connection_tunnel2_bgp_asn" {
+  description = "Tunnel 2 BGP ASN"
+  value       = aws_vpn_connection.this.tunnel2_bgp_asn
+}
+
+output "vpn_connection_tunnel2_cgw_inside_address" {
+  description = "Tunnel 2 Customer Inside IP Address"
+  value       = aws_vpn_connection.this.tunnel2_cgw_inside_address
+}
+
+output "vpn_connection_tunnel2_preshared_key" {
+  description = "Tunnel 2 Preshared Key"
+  value       = aws_vpn_connection.this.tunnel2_preshared_key
+}
+
+output "vpn_connection_tunnel2_vgw_inside_address" {
+  description = "Tunnel 2 AWS Inside IP Address"
+  value       = aws_vpn_connection.this.tunnel2_vgw_inside_address
+}
+
+output "vpn_connection_vpn_gw_id" {
+  description = "VPN Gateway ID"
+  value       = aws_vpn_connection.this.id
+}