Merge pull request #5 from aslanvyos/main

Terraform projects for VyOS deployment on AWS

2 files changed, 112 insertions, 0 deletions

diff --git a/Terraform/AWS/instance-with-configs/files/on-prem-vyos-config.txt b/Terraform/AWS/instance-with-configs/files/on-prem-vyos-config.txt
new file mode 100644
index 0000000..6c52bcb
--- /dev/null
+++ b/Terraform/AWS/instance-with-configs/files/on-prem-vyos-config.txt
@@ -0,0 +1,55 @@
+set system host-name 'VyOS-for-DEMO-On-Prem'

+set system login banner pre-login 'Welcome to the VyOS for DEMO on On-Prem'

+set interfaces ethernet eth0 description 'WAN'

+set interfaces ethernet eth1 description 'LAN'

+set interfaces ethernet eth1 dhcp-options no-default-route

+set system name-server '<DNS>'

+set service dns forwarding name-server '<DNS>'

+set service dns forwarding listen-address '<VYOS_PRIV_IP>'

+set service dns forwarding allow-from '<VYOS_CIDR>'

+set service dns forwarding no-serve-rfc1918

+set nat source rule 10 outbound-interface name 'eth0'

+set nat source rule 10 source address '<VYOS_CIDR>'

+set nat source rule 10 translation address 'masquerade'

+set vpn ipsec interface 'eth0'

+set vpn ipsec esp-group AWS lifetime '3600'

+set vpn ipsec esp-group AWS mode 'tunnel'

+set vpn ipsec esp-group AWS pfs 'dh-group2'

+set vpn ipsec esp-group AWS proposal 1 encryption 'aes256'

+set vpn ipsec esp-group AWS proposal 1 hash 'sha1'

+set vpn ipsec ike-group AWS dead-peer-detection action 'restart'

+set vpn ipsec ike-group AWS dead-peer-detection interval '15'

+set vpn ipsec ike-group AWS dead-peer-detection timeout '30'

+set vpn ipsec ike-group AWS ikev2-reauth

+set vpn ipsec ike-group AWS key-exchange 'ikev2'

+set vpn ipsec ike-group AWS lifetime '28800'

+set vpn ipsec ike-group AWS proposal 1 dh-group '2'

+set vpn ipsec ike-group AWS proposal 1 encryption 'aes256'

+set vpn ipsec ike-group AWS proposal 1 hash 'sha1'

+set vpn ipsec ike-group AWS close-action start

+set vpn ipsec option disable-route-autoinstall

+set interfaces vti vti1 address '10.2.100.11/32'

+set interfaces vti vti1 description 'Tunnel for VyOS in AWS'

+set interfaces vti vti1 ip adjust-mss '1350'

+set protocols static route 10.1.100.11/32 interface vti1

+set vpn ipsec authentication psk VyOS id '<VYOS_AWS_PUB_IP>'

+set vpn ipsec authentication psk VyOS id '<VYOS_PUB_IP>'

+set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'

+set vpn ipsec site-to-site peer AWS authentication local-id '<VYOS_PUB_IP>'

+set vpn ipsec site-to-site peer AWS authentication mode 'pre-shared-secret'

+set vpn ipsec site-to-site peer AWS authentication remote-id '<VYOS_AWS_PUB_IP>'

+set vpn ipsec site-to-site peer AWS connection-type 'initiate'

+set vpn ipsec site-to-site peer AWS description 'AWS TUNNEL to VyOS on NET 02'

+set vpn ipsec site-to-site peer AWS ike-group 'AWS'

+set vpn ipsec site-to-site peer AWS ikev2-reauth 'inherit'

+set vpn ipsec site-to-site peer AWS local-address '<VYOS_PUB_IP>'

+set vpn ipsec site-to-site peer AWS remote-address '<VYOS_AWS_PUB_IP>'

+set vpn ipsec site-to-site peer AWS vti bind 'vti1'

+set vpn ipsec site-to-site peer AWS vti esp-group 'AWS'

+set protocols bgp system-as '<VYOS_BGP_AS_NUMBER>'

+set protocols bgp address-family ipv4-unicast network <VYOS_CIDR>

+set protocols bgp neighbor 10.1.100.11 remote-as '<VYOS_AWS_BGP_AS_NUMBER>'

+set protocols bgp neighbor 10.1.100.11 address-family ipv4-unicast soft-reconfiguration inbound

+set protocols bgp neighbor 10.1.100.11 timers holdtime '30'

+set protocols bgp neighbor 10.1.100.11 timers keepalive '10'

+set protocols bgp neighbor 10.1.100.11 disable-connected-check

diff --git a/Terraform/AWS/instance-with-configs/files/vyos_user_data.tfpl b/Terraform/AWS/instance-with-configs/files/vyos_user_data.tfpl
new file mode 100644
index 0000000..7240a2c
--- /dev/null
+++ b/Terraform/AWS/instance-with-configs/files/vyos_user_data.tfpl
@@ -0,0 +1,57 @@
+#cloud-config

+vyos_config_commands:

+    - set system host-name 'VyOS-for-DEMO-AWS'

+    - set system login banner pre-login 'Welcome to the VyOS for DEMO on AWS'

+    - set interfaces ethernet eth0 description 'WAN'

+    - set interfaces ethernet eth1 description 'LAN'

+    - set interfaces ethernet eth1 dhcp-options no-default-route

+    - set system name-server '${dns_1}'

+    - set service dns forwarding name-server '${dns_1}'

+    - set service dns forwarding listen-address '${vyos_priv_nic_ip}'

+    - set service dns forwarding allow-from '${private_subnet_cidr}'

+    - set service dns forwarding no-serve-rfc1918

+    - set nat source rule 10 outbound-interface name 'eth0'

+    - set nat source rule 10 source address '${private_subnet_cidr}'

+    - set nat source rule 10 translation address 'masquerade'

+    - set vpn ipsec interface 'eth0'

+    - set vpn ipsec esp-group ON-PREM lifetime '3600'

+    - set vpn ipsec esp-group ON-PREM mode 'tunnel'

+    - set vpn ipsec esp-group ON-PREM pfs 'dh-group2'

+    - set vpn ipsec esp-group ON-PREM proposal 1 encryption 'aes256'

+    - set vpn ipsec esp-group ON-PREM proposal 1 hash 'sha1'

+    - set vpn ipsec ike-group ON-PREM dead-peer-detection action 'restart'

+    - set vpn ipsec ike-group ON-PREM dead-peer-detection interval '15'

+    - set vpn ipsec ike-group ON-PREM dead-peer-detection timeout '30'

+    - set vpn ipsec ike-group ON-PREM ikev2-reauth

+    - set vpn ipsec ike-group ON-PREM key-exchange 'ikev2'

+    - set vpn ipsec ike-group ON-PREM lifetime '28800'

+    - set vpn ipsec ike-group ON-PREM proposal 1 dh-group '2'

+    - set vpn ipsec ike-group ON-PREM proposal 1 encryption 'aes256'

+    - set vpn ipsec ike-group ON-PREM proposal 1 hash 'sha1'

+    - set vpn ipsec ike-group ON-PREM close-action start

+    - set vpn ipsec option disable-route-autoinstall

+    - set interfaces vti vti1 address '10.1.100.11/32'

+    - set interfaces vti vti1 description 'Tunnel for VyOS in ON-PREM'

+    - set interfaces vti vti1 ip adjust-mss '1350'

+    - set protocols static route 10.2.100.11/32 interface vti1

+    - set vpn ipsec authentication psk VyOS id '${vyos_public_ip_address}'

+    - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip_address}'

+    - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'

+    - set vpn ipsec site-to-site peer ON-PREM authentication local-id '${vyos_public_ip_address}'

+    - set vpn ipsec site-to-site peer ON-PREM authentication mode 'pre-shared-secret'

+    - set vpn ipsec site-to-site peer ON-PREM authentication remote-id '${on_prem_public_ip_address}'

+    - set vpn ipsec site-to-site peer ON-PREM connection-type 'none'

+    - set vpn ipsec site-to-site peer ON-PREM description 'ON-PREM TUNNEL to VyOS on NET 02'

+    - set vpn ipsec site-to-site peer ON-PREM ike-group 'ON-PREM'

+    - set vpn ipsec site-to-site peer ON-PREM ikev2-reauth 'inherit'

+    - set vpn ipsec site-to-site peer ON-PREM local-address '${vyos_pub_nic_ip}'

+    - set vpn ipsec site-to-site peer ON-PREM remote-address '${on_prem_public_ip_address}'

+    - set vpn ipsec site-to-site peer ON-PREM vti bind 'vti1'

+    - set vpn ipsec site-to-site peer ON-PREM vti esp-group 'ON-PREM'

+    - set protocols bgp system-as '${vyos_bgp_as_number}'

+    - set protocols bgp address-family ipv4-unicast network ${private_subnet_cidr}

+    - set protocols bgp neighbor 10.2.100.11 remote-as '${on_prem_bgp_as_number}'

+    - set protocols bgp neighbor 10.2.100.11 address-family ipv4-unicast soft-reconfiguration inbound

+    - set protocols bgp neighbor 10.2.100.11 timers holdtime '30'

+    - set protocols bgp neighbor 10.2.100.11 timers keepalive '10'

+    - set protocols bgp neighbor 10.2.100.11 disable-connected-check