Add site-to-site-vpn Terraform/OpenTofu component

[aknysh]

what

• Add site-to-site-vpn Terraform/OpenTofu component

why

• The component provisions a Site-To-Site VPN with a target AWS VPC on one side of the tunnel. The other (customer) side can be any VPN gateway endpoint, e.g. a hardware device, other cloud VPN, etc.

  AWS Site-to-Site VPN is a fully-managed service that creates a secure connection between your data center or branch
  office and your AWS resources using IP Security (IPSec) tunnels. When using Site-to-Site VPN, you can connect to both
  your Amazon Virtual Private Clouds (VPC) and AWS Transit Gateway, and two tunnels per connection are used for
  increased redundancy.

  The component provisions the following resources:

  • AWS Virtual Private Gateway (a representation of the AWS side of the tunnel)

  • AWS Customer Gateway (a representation of the other (remote) side of the tunnel). It requires:

    • The gateway's Border Gateway Protocol (BGP) Autonomous System Number (ASN)
    • /32 IP of the VPN endpoint

  • AWS Site-To-Site VPN connection. It creates two VPN tunnels for redundancy and requires:

    • The IP CIDR ranges on each side of the tunnel
    • Pre-shared Keys for each tunnel (can be auto-generated if not provided and saved into SSM Parameter Store)
    • (Optional) IP CIDR ranges to be used inside each VPN tunnel

  • Route table entries to direct the appropriate traffic from the local VPC to the other side of the tunnel

references

• https://aws.amazon.com/vpn/site-to-site-vpn
• https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html
• https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_VpnTunnelOptionsSpecification.html