From 0564e4ebb416df74f1d0fa31d7e4536186fbac47 Mon Sep 17 00:00:00 2001
From: 3u13r <lc@edgeless.systems>
Date: Thu, 23 Nov 2023 16:13:37 +0100
Subject: [PATCH] dev-docs: add on-prem terraform to vpn setup (#2619)

* vpn: add fake-on-prem infra

* dev-docs: move vpn helm
---
 dev-docs/howto/vpn/{ => helm}/.helmignore     |   0
 dev-docs/howto/vpn/{ => helm}/Chart.yaml      |   0
 dev-docs/howto/vpn/{ => helm}/README.md       |   0
 .../files/strongswan/charon-logging.conf      |   0
 .../{ => helm}/files/strongswan/entrypoint.sh |   0
 .../vpn/{ => helm}/files/tproxy-setup.sh      |   0
 .../vpn/{ => helm}/files/wireguard-setup.sh   |   0
 .../vpn/{ => helm}/templates/_helpers.tpl     |   0
 .../vpn/{ => helm}/templates/configmaps.yaml  |   0
 .../vpn/{ => helm}/templates/secrets.yaml     |   0
 .../vpn/{ => helm}/templates/service.yaml     |   0
 .../templates/strongswan-secret.tpl           |   0
 .../templates/strongswan-statefulset.yaml     |   0
 .../{ => helm}/templates/wireguard-secret.tpl |   0
 .../templates/wireguard-statefulset.yaml      |   0
 dev-docs/howto/vpn/{ => helm}/values.yaml     |   0
 .../vpn/on-prem-terraform/.terraform.lock.hcl |  73 +++++
 dev-docs/howto/vpn/on-prem-terraform/main.tf  | 294 ++++++++++++++++++
 .../howto/vpn/on-prem-terraform/output.tf     |   8 +
 .../howto/vpn/on-prem-terraform/variables.tf  |  32 ++
 20 files changed, 407 insertions(+)
 rename dev-docs/howto/vpn/{ => helm}/.helmignore (100%)
 rename dev-docs/howto/vpn/{ => helm}/Chart.yaml (100%)
 rename dev-docs/howto/vpn/{ => helm}/README.md (100%)
 rename dev-docs/howto/vpn/{ => helm}/files/strongswan/charon-logging.conf (100%)
 rename dev-docs/howto/vpn/{ => helm}/files/strongswan/entrypoint.sh (100%)
 rename dev-docs/howto/vpn/{ => helm}/files/tproxy-setup.sh (100%)
 rename dev-docs/howto/vpn/{ => helm}/files/wireguard-setup.sh (100%)
 rename dev-docs/howto/vpn/{ => helm}/templates/_helpers.tpl (100%)
 rename dev-docs/howto/vpn/{ => helm}/templates/configmaps.yaml (100%)
 rename dev-docs/howto/vpn/{ => helm}/templates/secrets.yaml (100%)
 rename dev-docs/howto/vpn/{ => helm}/templates/service.yaml (100%)
 rename dev-docs/howto/vpn/{ => helm}/templates/strongswan-secret.tpl (100%)
 rename dev-docs/howto/vpn/{ => helm}/templates/strongswan-statefulset.yaml (100%)
 rename dev-docs/howto/vpn/{ => helm}/templates/wireguard-secret.tpl (100%)
 rename dev-docs/howto/vpn/{ => helm}/templates/wireguard-statefulset.yaml (100%)
 rename dev-docs/howto/vpn/{ => helm}/values.yaml (100%)
 create mode 100644 dev-docs/howto/vpn/on-prem-terraform/.terraform.lock.hcl
 create mode 100644 dev-docs/howto/vpn/on-prem-terraform/main.tf
 create mode 100644 dev-docs/howto/vpn/on-prem-terraform/output.tf
 create mode 100644 dev-docs/howto/vpn/on-prem-terraform/variables.tf

diff --git a/dev-docs/howto/vpn/.helmignore b/dev-docs/howto/vpn/helm/.helmignore
similarity index 100%
rename from dev-docs/howto/vpn/.helmignore
rename to dev-docs/howto/vpn/helm/.helmignore
diff --git a/dev-docs/howto/vpn/Chart.yaml b/dev-docs/howto/vpn/helm/Chart.yaml
similarity index 100%
rename from dev-docs/howto/vpn/Chart.yaml
rename to dev-docs/howto/vpn/helm/Chart.yaml
diff --git a/dev-docs/howto/vpn/README.md b/dev-docs/howto/vpn/helm/README.md
similarity index 100%
rename from dev-docs/howto/vpn/README.md
rename to dev-docs/howto/vpn/helm/README.md
diff --git a/dev-docs/howto/vpn/files/strongswan/charon-logging.conf b/dev-docs/howto/vpn/helm/files/strongswan/charon-logging.conf
similarity index 100%
rename from dev-docs/howto/vpn/files/strongswan/charon-logging.conf
rename to dev-docs/howto/vpn/helm/files/strongswan/charon-logging.conf
diff --git a/dev-docs/howto/vpn/files/strongswan/entrypoint.sh b/dev-docs/howto/vpn/helm/files/strongswan/entrypoint.sh
similarity index 100%
rename from dev-docs/howto/vpn/files/strongswan/entrypoint.sh
rename to dev-docs/howto/vpn/helm/files/strongswan/entrypoint.sh
diff --git a/dev-docs/howto/vpn/files/tproxy-setup.sh b/dev-docs/howto/vpn/helm/files/tproxy-setup.sh
similarity index 100%
rename from dev-docs/howto/vpn/files/tproxy-setup.sh
rename to dev-docs/howto/vpn/helm/files/tproxy-setup.sh
diff --git a/dev-docs/howto/vpn/files/wireguard-setup.sh b/dev-docs/howto/vpn/helm/files/wireguard-setup.sh
similarity index 100%
rename from dev-docs/howto/vpn/files/wireguard-setup.sh
rename to dev-docs/howto/vpn/helm/files/wireguard-setup.sh
diff --git a/dev-docs/howto/vpn/templates/_helpers.tpl b/dev-docs/howto/vpn/helm/templates/_helpers.tpl
similarity index 100%
rename from dev-docs/howto/vpn/templates/_helpers.tpl
rename to dev-docs/howto/vpn/helm/templates/_helpers.tpl
diff --git a/dev-docs/howto/vpn/templates/configmaps.yaml b/dev-docs/howto/vpn/helm/templates/configmaps.yaml
similarity index 100%
rename from dev-docs/howto/vpn/templates/configmaps.yaml
rename to dev-docs/howto/vpn/helm/templates/configmaps.yaml
diff --git a/dev-docs/howto/vpn/templates/secrets.yaml b/dev-docs/howto/vpn/helm/templates/secrets.yaml
similarity index 100%
rename from dev-docs/howto/vpn/templates/secrets.yaml
rename to dev-docs/howto/vpn/helm/templates/secrets.yaml
diff --git a/dev-docs/howto/vpn/templates/service.yaml b/dev-docs/howto/vpn/helm/templates/service.yaml
similarity index 100%
rename from dev-docs/howto/vpn/templates/service.yaml
rename to dev-docs/howto/vpn/helm/templates/service.yaml
diff --git a/dev-docs/howto/vpn/templates/strongswan-secret.tpl b/dev-docs/howto/vpn/helm/templates/strongswan-secret.tpl
similarity index 100%
rename from dev-docs/howto/vpn/templates/strongswan-secret.tpl
rename to dev-docs/howto/vpn/helm/templates/strongswan-secret.tpl
diff --git a/dev-docs/howto/vpn/templates/strongswan-statefulset.yaml b/dev-docs/howto/vpn/helm/templates/strongswan-statefulset.yaml
similarity index 100%
rename from dev-docs/howto/vpn/templates/strongswan-statefulset.yaml
rename to dev-docs/howto/vpn/helm/templates/strongswan-statefulset.yaml
diff --git a/dev-docs/howto/vpn/templates/wireguard-secret.tpl b/dev-docs/howto/vpn/helm/templates/wireguard-secret.tpl
similarity index 100%
rename from dev-docs/howto/vpn/templates/wireguard-secret.tpl
rename to dev-docs/howto/vpn/helm/templates/wireguard-secret.tpl
diff --git a/dev-docs/howto/vpn/templates/wireguard-statefulset.yaml b/dev-docs/howto/vpn/helm/templates/wireguard-statefulset.yaml
similarity index 100%
rename from dev-docs/howto/vpn/templates/wireguard-statefulset.yaml
rename to dev-docs/howto/vpn/helm/templates/wireguard-statefulset.yaml
diff --git a/dev-docs/howto/vpn/values.yaml b/dev-docs/howto/vpn/helm/values.yaml
similarity index 100%
rename from dev-docs/howto/vpn/values.yaml
rename to dev-docs/howto/vpn/helm/values.yaml
diff --git a/dev-docs/howto/vpn/on-prem-terraform/.terraform.lock.hcl b/dev-docs/howto/vpn/on-prem-terraform/.terraform.lock.hcl
new file mode 100644
index 000000000..edc29ee91
--- /dev/null
+++ b/dev-docs/howto/vpn/on-prem-terraform/.terraform.lock.hcl
@@ -0,0 +1,73 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/azurerm" {
+  version     = "3.74.0"
+  constraints = "3.74.0"
+  hashes = [
+    "h1:4b15khHtc5OkIVEFg0W5QRwf/ov1WVQkXVdSiAcTCS8=",
+    "h1:ETVZfmulZQ435+lgFCkZRpfVOLyAxfDOwbPXFg3aLLQ=",
+    "h1:H3diAufZ5VDQKsQNYykVRaFTOUJ4gjFiT2VLYi574+w=",
+    "h1:LEdK8BxNSNiBQbtcJhQZKMMHDjmPpUsvDpr3Mzs93Tg=",
+    "h1:VfBB00BE0wvFiod7BlL+Cn6r2599MEi94hnAQ277ux8=",
+    "zh:0424c70152f949da1ec52ba96d20e5fd32fd22d9bd9203ce045d5f6aab3d20fc",
+    "zh:16dbf581d10f8e7937185bcdcceb4f91d08c919e452fb8da7580071288c8c397",
+    "zh:3019103bc2c3b4e185f5c65696c349697644c968f5c085af5505fed6d01c4241",
+    "zh:49bb56ebaed6653fdb913c2b2bb74fc8b5399e7258d1e89084f72c44ea1130dd",
+    "zh:85547666517f899d88620bd23a000a8f43c7dc93587c350eb1ea17bcb3e645c7",
+    "zh:8bed8b646ff1822d8764de68b56b71e5dd971a4b77eba80d47f400a530800bea",
+    "zh:8bfa6c70c004ba05ebce47f74f49ce872c28a68a18bb71b281a9681bcbbdbfa1",
+    "zh:a2ae9e38fda0695fb8aa810e4f1ce4b104bfda651a87923b307bb1728680d8b6",
+    "zh:beac1efe32f99072c892095f5ff46e40d6852b66679a03bc3acbe1b90fb1f653",
+    "zh:d8a6ca20e49ebe7ea5688d91233d571e2c2ccc3e41000c39a7d7031df209ea8e",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:f937b5fdf49b072c0347408d0a1c5a5d822dae1a23252915930e5a82d1d8ce8b",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.5.1"
+  constraints = "3.5.1"
+  hashes = [
+    "h1:3hjTP5tQBspPcFAJlfafnWrNrKnr7J4Cp0qB9jbqf30=",
+    "h1:6FVyQ/aG6tawPam6B+oFjgdidKd83uG9n7dOSQ66HBA=",
+    "h1:IL9mSatmwov+e0+++YX2V6uel+dV6bn+fC/cnGDK3Ck=",
+    "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=",
+    "h1:sZ7MTSD4FLekNN2wSNFGpM+5slfvpm5A/NLVZiB7CO0=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/tls" {
+  version = "4.0.4"
+  hashes = [
+    "h1:GZcFizg5ZT2VrpwvxGBHQ/hO9r6g0vYdQqx3bFD3anY=",
+    "h1:Wd3RqmQW60k2QWPN4sK5CtjGuO1d+CRNXgC+D4rKtXc=",
+    "h1:bNsvpX5EGuVxgGRXBQVLXlmq40PdoLp8Rfuh1ZmV7yY=",
+    "h1:pe9vq86dZZKCm+8k1RhzARwENslF3SXb9ErHbQfgjXU=",
+    "h1:rKKMyIEBZwR+8j6Tx3PwqBrStuH+J+pxcbCR5XN8WAw=",
+    "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55",
+    "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848",
+    "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be",
+    "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5",
+    "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe",
+    "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e",
+    "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48",
+    "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8",
+    "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60",
+    "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e",
+    "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
diff --git a/dev-docs/howto/vpn/on-prem-terraform/main.tf b/dev-docs/howto/vpn/on-prem-terraform/main.tf
new file mode 100644
index 000000000..2c6368d1c
--- /dev/null
+++ b/dev-docs/howto/vpn/on-prem-terraform/main.tf
@@ -0,0 +1,294 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.74.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "3.5.1"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+locals {
+  username = "azureadmin"
+}
+
+resource "random_pet" "rg_name" {
+  prefix = var.name_prefix
+}
+
+resource "azurerm_resource_group" "rg" {
+  location = var.resource_group_location
+  name     = random_pet.rg_name.id
+}
+
+# Create virtual network
+resource "azurerm_virtual_network" "network" {
+  name                = "network"
+  address_space       = [var.local_ts]
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+}
+
+# Create subnet
+resource "azurerm_subnet" "subnet" {
+  name                 = "subnet"
+  resource_group_name  = azurerm_resource_group.rg.name
+  virtual_network_name = azurerm_virtual_network.network.name
+  address_prefixes     = [cidrsubnet(var.local_ts, 8, 0)]
+
+}
+
+resource "tls_private_key" "ssh_key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+# Create public IPs
+resource "azurerm_public_ip" "pubIP" {
+  name                = "publicIP"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  allocation_method   = "Dynamic"
+}
+
+# Create Network Security Group and rule
+resource "azurerm_network_security_group" "security_group" {
+  name                = "secuityGroup"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+
+  security_rule {
+    name                       = "SSH"
+    priority                   = 1001
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "22"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+  security_rule {
+    name                       = "strongSwan_500"
+    priority                   = 1002
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Udp"
+    source_port_range          = "*"
+    destination_port_range     = "500"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+  security_rule {
+    name                       = "strongSwan_4500"
+    priority                   = 1003
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Udp"
+    source_port_range          = "*"
+    destination_port_range     = "4500"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+}
+
+resource "azurerm_route_table" "route_table" {
+  name                          = "vpn-routes"
+  location                      = azurerm_resource_group.rg.location
+  resource_group_name           = azurerm_resource_group.rg.name
+  disable_bgp_route_propagation = false
+
+  dynamic "route" {
+    for_each = var.remote_ts
+    content {
+      name                   = "route-${route.key}"
+      address_prefix         = route.value
+      next_hop_type          = "VirtualAppliance"
+      next_hop_in_ip_address = azurerm_network_interface.public_nic.private_ip_address
+    }
+  }
+}
+
+resource "azurerm_subnet_route_table_association" "route_table_association" {
+  subnet_id      = azurerm_subnet.subnet.id
+  route_table_id = azurerm_route_table.route_table.id
+}
+
+
+# Create network interface
+resource "azurerm_network_interface" "public_nic" {
+  name                = "public-nic"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+
+  ip_configuration {
+    name                          = "my_nic_configuration"
+    subnet_id                     = azurerm_subnet.subnet.id
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id          = azurerm_public_ip.pubIP.id
+  }
+}
+
+# Connect the security group to the network interface
+resource "azurerm_network_interface_security_group_association" "example" {
+  network_interface_id      = azurerm_network_interface.public_nic.id
+  network_security_group_id = azurerm_network_security_group.security_group.id
+}
+
+# Create virtual machine
+resource "azurerm_linux_virtual_machine" "public_vm" {
+  name                  = "public_vm"
+  location              = azurerm_resource_group.rg.location
+  resource_group_name   = azurerm_resource_group.rg.name
+  network_interface_ids = [azurerm_network_interface.public_nic.id]
+  size                  = "Standard_B2ats_v2"
+
+  os_disk {
+    name                 = "disk_public_vm"
+    caching              = "ReadWrite"
+    storage_account_type = "Premium_LRS"
+  }
+
+  source_image_reference {
+    publisher = "Canonical"
+    offer     = "0001-com-ubuntu-server-jammy"
+    sku       = "22_04-lts-gen2"
+    version   = "latest"
+  }
+
+  computer_name  = "hostname"
+  admin_username = local.username
+
+  admin_ssh_key {
+    username   = local.username
+    public_key = tls_private_key.ssh_key.public_key_openssh
+  }
+
+  boot_diagnostics {
+  }
+
+  user_data = base64encode(<<EOF
+#!/bin/bash
+set -x
+
+apt-get update
+apt-get install strongswan-charon strongswan-swanctl -y
+
+
+cat <<'EOT' >> /etc/strongswan.d/charon-logging.conf
+charon {
+  filelog {
+    stderr {
+      time_format = %b %e %T
+      ike_name = yes
+      default = 1
+      ike = 2
+      flush_line = yes
+    }
+  }
+}
+EOT
+
+
+cat <<'EOT' >> /etc/swanctl/conf.d/constellation.conf
+connections {
+  gw-gw {
+    remote_addrs = ${var.remote_addr}
+
+    local {
+        auth = psk
+    }
+    remote {
+        auth = psk
+    }
+    children {
+        net-net {
+          local_ts  = ${var.local_ts}
+          remote_ts = ${join(",", var.remote_ts)}
+
+          start_action = trap
+        }
+    }
+  }
+}
+
+secrets {
+  ike {
+    secret = ${var.ike_psk}
+  }
+}
+EOT
+
+cat <<'EOT' >> /home/${local.username}/restart-and-reload-strongswan.sh
+#!/bin/sh
+
+# Restart charon daemon
+ipsec restart
+
+sleep 5
+
+# Load all the config files
+swanctl --load-all
+
+echo "You now should be able to ping and curl the remote network (Pod IPs and Services)"
+
+EOT
+
+chmod +x /home/${local.username}/restart-and-reload-strongswan.sh
+sysctl -w net.ipv4.ip_forward=1
+
+EOF
+  )
+}
+
+resource "azurerm_network_interface" "private_nic" {
+  name                = "private-nic"
+  location            = var.resource_group_location
+  resource_group_name = azurerm_resource_group.rg.name
+
+  ip_configuration {
+    name                          = "internal"
+    subnet_id                     = azurerm_subnet.subnet.id
+    private_ip_address_allocation = "Dynamic"
+  }
+}
+
+# Create virtual machine
+resource "azurerm_linux_virtual_machine" "private_vm" {
+  name                  = "private_vm"
+  location              = azurerm_resource_group.rg.location
+  resource_group_name   = azurerm_resource_group.rg.name
+  network_interface_ids = [azurerm_network_interface.private_nic.id]
+  size                  = "Standard_B2ats_v2"
+
+  os_disk {
+    name                 = "disk_private_vm"
+    caching              = "ReadWrite"
+    storage_account_type = "Premium_LRS"
+  }
+
+  source_image_reference {
+    publisher = "Canonical"
+    offer     = "0001-com-ubuntu-server-jammy"
+    sku       = "22_04-lts-gen2"
+    version   = "latest"
+  }
+
+  computer_name  = "hostname"
+  admin_username = local.username
+
+  admin_ssh_key {
+    username   = local.username
+    public_key = tls_private_key.ssh_key.public_key_openssh
+  }
+
+  boot_diagnostics {
+  }
+}
diff --git a/dev-docs/howto/vpn/on-prem-terraform/output.tf b/dev-docs/howto/vpn/on-prem-terraform/output.tf
new file mode 100644
index 000000000..24e31b361
--- /dev/null
+++ b/dev-docs/howto/vpn/on-prem-terraform/output.tf
@@ -0,0 +1,8 @@
+output "private_key" {
+  value     = tls_private_key.ssh_key.private_key_pem
+  sensitive = true
+}
+
+output "public_ip" {
+  value = azurerm_public_ip.pubIP.ip_address
+}
diff --git a/dev-docs/howto/vpn/on-prem-terraform/variables.tf b/dev-docs/howto/vpn/on-prem-terraform/variables.tf
new file mode 100644
index 000000000..652916678
--- /dev/null
+++ b/dev-docs/howto/vpn/on-prem-terraform/variables.tf
@@ -0,0 +1,32 @@
+variable "resource_group_location" {
+  type        = string
+  default     = "westeurope"
+  description = "Location of the resource group."
+}
+
+variable "name_prefix" {
+  type    = string
+  default = "vpn-test"
+}
+
+variable "remote_addr" {
+  type        = string
+  description = "The public IP address of the remote host."
+}
+
+variable "ike_psk" {
+  type        = string
+  description = "The IKE pre-shared key."
+}
+
+variable "local_ts" {
+  type        = string
+  description = "The local traffic selector."
+  default     = "10.99.0.0/16"
+}
+
+variable "remote_ts" {
+  type        = list(string)
+  description = "The remote traffic selector."
+  default     = ["10.10.0.0/16", "10.96.0.0/12"]
+}